From 1ebf0b737202ecb8c0e83e2813cb0038a872d196 Mon Sep 17 00:00:00 2001
From: Julius Goryavsky <julius.goryavsky@mariadb.com>
Date: Wed, 19 Oct 2022 02:51:01 +0200
Subject: [PATCH] MDEV-29817: Issues with handling options for SSL CRLs (and
 some others)

This patch adds the correct setting of the "--tls-version" and
"--ssl-verify-server-cert" options in the client-side utilities
such as mysqltest, mysqlcheck and mysqlslap, as well as the correct
setting of the "--ssl-crl" option when executing queries on the
slave side, and also the correct option codes in the "sslopts-logopts.h"
file (in the latter case, incorrect values are not a problem right
now, but may cause subtle test failures in the future, if the option
handling code changes).
---
 client/mysqlcheck.c       | 3 +++
 client/mysqlslap.c        | 3 +++
 client/mysqltest.cc       | 1 +
 include/sslopt-longopts.h | 4 ++--
 sql/slave.cc              | 6 +++---
 5 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/client/mysqlcheck.c b/client/mysqlcheck.c
index 1b15da4921a..3e341f13e5a 100644
--- a/client/mysqlcheck.c
+++ b/client/mysqlcheck.c
@@ -1105,7 +1105,10 @@ static int dbConnect(char *host, char *user, char *passwd)
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(&mysql_connection, MARIADB_OPT_TLS_VERSION, opt_tls_version);
   }
+  mysql_options(&mysql_connection, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqlslap.c b/client/mysqlslap.c
index f491bea6c79..8c65dccbb43 100644
--- a/client/mysqlslap.c
+++ b/client/mysqlslap.c
@@ -303,7 +303,10 @@ void set_mysql_connect_options(MYSQL *mysql)
                   opt_ssl_capath, opt_ssl_cipher);
     mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
   }
+  mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqltest.cc b/client/mysqltest.cc
index 270b2681095..abaf3ebb416 100644
--- a/client/mysqltest.cc
+++ b/client/mysqltest.cc
@@ -9713,6 +9713,7 @@ int main(int argc, char **argv)
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(con->mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
 #if MYSQL_VERSION_ID >= 50000
     /* Turn on ssl_verify_server_cert only if host is "localhost" */
     opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost");
diff --git a/include/sslopt-longopts.h b/include/sslopt-longopts.h
index d0278a1645d..ee90d17fb64 100644
--- a/include/sslopt-longopts.h
+++ b/include/sslopt-longopts.h
@@ -39,10 +39,10 @@
   {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",
    &opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
-  {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).",
+  {"ssl-crl", OPT_SSL_CRL, "Certificate revocation list (implies --ssl).",
    &opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
-  {"ssl-crlpath", OPT_SSL_KEY, 
+  {"ssl-crlpath", OPT_SSL_CRLPATH,
     "Certificate revocation list path (implies --ssl).",
    &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
diff --git a/sql/slave.cc b/sql/slave.cc
index c9d5c9ca3be..300e53bee1b 100644
--- a/sql/slave.cc
+++ b/sql/slave.cc
@@ -7256,9 +7256,9 @@ static int connect_to_master(THD* thd, MYSQL* mysql, Master_info* mi,
                   mi->ssl_ca[0]?mi->ssl_ca:0,
                   mi->ssl_capath[0]?mi->ssl_capath:0,
                   mi->ssl_cipher[0]?mi->ssl_cipher:0);
-    mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
-                  &mi->ssl_verify_server_cert);
-    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, 
+    mysql_options(mysql, MYSQL_OPT_SSL_CRL,
+                  mi->ssl_crl[0] ? mi->ssl_crl : 0);
+    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH,
                   mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);
     mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                   &mi->ssl_verify_server_cert);