Initial support
tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL
not working on Windows with native SChannel support, due to wrong cipher
mapping: Latter one requires push of CONC-241 fixes.
Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if
the build succeeds, test cases will fail with various errors, especially
when using different tls libraries or versions for client and server.
Don't use a fixed buffer for X509_NAME_oneline() in the client.
Do as the server does - allocate it dynamically.
For a test - regenerate certificates to have the server cert with
a long subject.
CONNECTIONS IF SPE
Problem description: -ssl-key value is not validated, you can assign any bogus
text to --ssl-key and it is not verified that it exists, and more importantly,
it allows the client to connect to mysqld.
Fix: Added proper validations checks for --ssl-key.
Note:
1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections
listed below and the details are :
http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl
and
REQUIRE SSL section of
http://dev.mysql.com/doc/refman/5.6/en/grant.html
2) Client having with option '--ssl', should able to get ssl connection. This
will be implemented as part of separate fix in 5.6 and trunk.
CONNECTIONS IF SPE
Problem description: -ssl-key value is not validated, you can assign any bogus
text to --ssl-key and it is not verified that it exists, and more importantly,
it allows the client to connect to mysqld.
Fix: Added proper validations checks for --ssl-key.
Note:
1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections
listed below and the details are :
http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl
and
REQUIRE SSL section of
http://dev.mysql.com/doc/refman/5.6/en/grant.html
2) Client having with option '--ssl', should able to get ssl connection. This
will be implemented as part of separate fix in 5.6 and trunk.
SSL errors on client and now more specific to aid end-user
with debugging. Also restructures error handling for
compliance with SSL docs.
include/violite.h:
new_VioSSLConnectorFd/sslaccept/sslconnect return more elaborate status
libmysql/errmsg.c:
SSL errors now extended, more specific
mysql-test/r/openssl_1.result:
SSL errors now extended, more specific
sql-common/client.c:
Do more detailed error reporting for setup, connect, and
server cert verifying phases.
sql/sql_acl.cc:
sslaccept() signature has changed
vio/viossl.c:
Save the error code and return it to callers of sslaccept
and sslconnect.
vio/viosslfactories.c:
new_VioSSLConnectorFd(): return error code to caller
The problem is that the server failed to follow the rule that
every X509 object retrieved using SSL_get_peer_certificate()
must be explicitly freed by X509_free(). This caused a memory
leak for builds linked against OpenSSL where the X509 object
is reference counted -- improper counting will prevent the
object from being destroyed once the session containing the
peer certificate is freed.
The solution is to explicitly free every X509 object used.
mysql-test/r/openssl_1.result:
Add test case result for Bug#42158
mysql-test/t/openssl_1.test:
Add test case for Bug#42158
sql/sql_acl.cc:
Deallocate X509 objects.
The problem is that the server failed to follow the rule that
every X509 object retrieved using SSL_get_peer_certificate()
must be explicitly freed by X509_free(). This caused a memory
leak for builds linked against OpenSSL where the X509 object
is reference counted -- improper counting will prevent the
object from being destroyed once the session containing the
peer certificate is freed.
The solution is to explicitly free every X509 object used.
mysqldump included character_set_client magic
that is unknown before 4.1 even when asked for
an appropriate compatibility mode.
In compatibility (3.23, 4.0) mode, we do not
output charset statements (not even in a
"comment conditional"), nor do we do magic on
the server, even if the server is sufficient
new (4.1+). Table-names will be output converted
to the charset requested by mysqldump; if such
a conversion is not possible (Ivrit -> Latin),
mysqldump will fail.
mysqldump included character_set_client magic
that is unknown before 4.1 even when asked for
an appropriate compatibility mode.
In compatibility (3.23, 4.0) mode, we do not
output charset statements (not even in a
"comment conditional"), nor do we do magic on
the server, even if the server is sufficient
new (4.1+). Table-names will be output converted
to the charset requested by mysqldump; if such
a conversion is not possible (Ivrit -> Latin),
mysqldump will fail.
mysqldump included character_set_client magic
that is unknown before 4.1 even when asked for
an appropriate compatibility mode.
In compatibility (3.23, 4.0) mode, we do not
output charset statements (not even in a
"comment conditional"), nor do we do magic on
the server, even if the server is sufficient
new (4.1+). Table-names will be output converted
to the charset requested by mysqldump; if such
a conversion is not possible (Ivrit -> Latin),
mysqldump will fail.
client/mysqldump.c:
in 3.23/4.0 compat mode, don't do charset magic,
period. not in output, but not on the server,
either!
mysql-test/r/mysqldump-max.result:
character_set_client magic lives in version-conditional
now (except in compat 3.23/4.0 mode, in which case we
don't output any at all!).
mysql-test/r/mysqldump.result:
character_set_client magic lives in version-conditional
now (except in compat 3.23/4.0 mode, in which case we
don't output any at all!).
mysql-test/r/openssl_1.result:
character_set_client magic lives in version-conditional
now (except in compat 3.23/4.0 mode, in which case we
don't output any at all!).
mysql-test/t/mysqldump.test:
character_set_client magic lives in version-conditional
now (except in compat 3.23/4.0 mode, in which case we
don't output any at all!).
mysqldump included character_set_client magic
that is unknown before 4.1 even when asked for
an appropriate compatibility mode.
In compatibility (3.23, 4.0) mode, we do not
output charset statements (not even in a
"comment conditional"), nor do we do magic on
the server, even if the server is sufficient
new (4.1+). Table-names will be output converted
to the charset requested by mysqldump; if such
a conversion is not possible (Ivrit -> Latin),
mysqldump will fail.
Re-generated the PKI files needed.
Removed the ones that are not needed.
Updated the tests to reference the correct SSL subject.
mysql-test/r/openssl_1.result:
Bug #42366: Updated the tests to reference the correct SSL subject
mysql-test/std_data/cacert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/client-cert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/client-key.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server-cert-des.pem:
Bug #42366: Removed the ones that are not needed.
mysql-test/std_data/server-cert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server-key-des.pem:
Bug #42366: Removed the ones that are not needed.
mysql-test/std_data/server-key.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server8k-cert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server8k-key.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/t/openssl_1.test:
Bug #42366: Updated the tests to reference the correct SSL subject
using crashes server
When the server is configured to use a RSA key, and when the client sends
a cipher-suite list that contains a non-RSA key as acceptable, the server
would try to process that key even though it was impossible.
Now, yaSSL sets its own acceptable-cipher list according to what kind of
key the server is started with, and will never explore and try to pair
impossible combinations.
This involves a partial import of the current YaSSL tree, not the whole
thing, so as to try to avoid introducing new bugs.
(Updated to avoid many whitespace changes and make diff smaller.)
using crashes server
When the server is configured to use a RSA key, and when the client sends
a cipher-suite list that contains a non-RSA key as acceptable, the server
would try to process that key even though it was impossible.
Now, yaSSL sets its own acceptable-cipher list according to what kind of
key the server is started with, and will never explore and try to pair
impossible combinations.
This involves a partial import of the current YaSSL tree, not the whole
thing, so as to try to avoid introducing new bugs.
(Updated to avoid many whitespace changes and make diff smaller.)
into ibm.:/home/alik/Documents/MySQL/devel/5.1-rt-merge
mysql-test/r/mysqldump-max.result:
Auto merged
mysql-test/r/openssl_1.result:
Auto merged
mysql-test/t/show_check.test:
Auto merged
sql/sp.cc:
Auto merged
sql/sql_yacc.yy:
Auto merged
client/mysqldump.c:
Manual merge.
mysql-test/r/mysqldump.result:
Manual merge + use local.
binary SHOW CREATE TABLE or SELECT FROM I_S.
The problem is that mysqldump generates incorrect dump for a table
with non-ASCII column name if the mysqldump's character set is
ASCII.
The fix is to:
1. Switch character_set_client for the mysqldump's connection
to binary before issuing SHOW CREATE TABLE statement in order
to avoid conversion.
2. Dump switch character_set_client statements to UTF8 and back
for CREATE TABLE statement.
client/mysqldump.c:
1. Switch character_set_client for the mysqldump's connection
to binary before issuing SHOW CREATE TABLE statement in order
to avoid conversion.
2. Dump switch character_set_client statements to UTF8 and back
for CREATE TABLE statement.
mysql-test/r/mysqldump-max.result:
Update result file.
mysql-test/r/mysqldump.result:
Update result file.
mysql-test/r/openssl_1.result:
Update result file.
mysql-test/r/show_check.result:
Update result file.
mysql-test/t/show_check.test:
Test case:
- create a table with non-ASCII column name;
- dump the database by mysqldump using ASCII character set;
- drop the database;
- load the dump;
- check that the table has been re-created properly.
binary SHOW CREATE TABLE or SELECT FROM I_S.
The problem is that mysqldump generates incorrect dump for a table
with non-ASCII column name if the mysqldump's character set is
ASCII.
The fix is to:
1. Switch character_set_client for the mysqldump's connection
to binary before issuing SHOW CREATE TABLE statement in order
to avoid conversion.
2. Dump switch character_set_client statements to UTF8 and back
for CREATE TABLE statement.
mysql-test/r/compress.result:
result fix
mysql-test/r/information_schema.result:
result fix
mysql-test/r/openssl_1.result:
result fix
mysql-test/r/rpl_packet.result:
result fix
mysql-test/r/status.result:
result fix
