not logged
Errors encountered during initialization of the SSL subsystem
are printed to stderr, rather than to the error log.
This patch adds a parameter to several SSL init functions to
report the error (if any) out to the caller. The function
init_ssl() in mysqld.cc is moved after the initialization of
the log subsystem, so that any error messages can be logged to
the error log. Printing of messages to stderr has been
retained to get diagnostic output in a client context.
The problem is that the read and write methods of the shared
memory transport (protocol) didn't react to asynchronous close
events, which could lead to a lock up as the client would wait
(until time out) for a server response that will never come.
The solution is to also wait for close events while waiting
for I/O from or to the server.
- Remove bothersome warning messages. This change focuses on the warnings
that are covered by the ignore file: support-files/compiler_warnings.supp.
- Strings are guaranteed to be max uint in length
- Merge sslaccept and sslconnect.
- Atomically "reset" vio to VIO_TYPE_SSL when the SSL connection has
succeeded, this avoids having to revert anything and thus protects
against "close_active_vio" in the middle.
- Add some variance to the testcase
Added an option to yassl to allow "quiet shutdown" like openssl does. This option causes the SSL libs to NOT perform the close_notify handshake during shutdown. This fixes a hang we experience because we hold a lock during socket shutdown.
- The "mysql client in mysqld"(which is used by
replication and federated) should use alarms instead of setting
socket timeout value if the rest of the server uses alarm. By
always calling 'my_net_set_write_timeout'
or 'my_net_set_read_timeout' when changing the timeout value(s), the
selection whether to use alarms or timeouts will be handled by
ifdef's in those two functions.
- Move declaration of 'vio_timeout' into "vio_priv.h"
- Change check for return value of 'SSL_CTX_set_cipher_list'
in order to handle 0 as error setting cipher.
- Thanks to Dan Lukes for finding the problem!
- Turn off verification of peer if both ca_path and ca_file is null
i.e from only passing --ssl-key=<client_key> and --ssl-cert=<client_cert>
to the mysql utility programs.
The server will authenticate the client accoring to GRANT tables
but the client won't authenticate the server
- It's too early to free the SSL object in 'vio_ssl_close'. There
might still be a thread using or reading from it on platforms
where we need to close the active connection/socket in order
to break the read.
- Add new function 'vio_ssl_delete' and install it as the viodelete
function for SSL connections.
Corrected spelling in copyright text
Makefile.am:
Don't update the files from BitKeeper
Many files:
Removed "MySQL Finland AB & TCX DataKonsult AB" from copyright header
Adjusted year(s) in copyright header
Many files:
Added GPL copyright text
Removed files:
Docs/Support/colspec-fix.pl
Docs/Support/docbook-fixup.pl
Docs/Support/docbook-prefix.pl
Docs/Support/docbook-split
Docs/Support/make-docbook
Docs/Support/make-makefile
Docs/Support/test-make-manual
Docs/Support/test-make-manual-de
Docs/Support/xwf
(Mostly in DBUG_PRINT() and unused arguments)
Fixed bug in query cache when used with traceing (--with-debug)
Fixed memory leak in mysqldump
Removed warnings from mysqltest scripts (replaced -- with #)
- Most likely caused by linking with libmysqlclient using gcc and not g++.
- Removing our "yassl_dummy_link_fix" hacks so some test programs are linked
with gcc
- Remove build of non working test programs in vio
- Fix memory leak in vio_VioSSLFD that occurs when one of the calls to SSL_* function fails. As in the "ssl_des"
test case where the server is currently not supposed to be able to read the specific cert/key file.
- Change error message to be generic as it's called both from server and client code.
Socket timeouts in client library were used only on Windows.
The solution is to use socket timeouts in client library on all
systems were they are supported.
No test case is provided because it is impossible to simulate network
failure in current test suit.
- Include prefix files that renames all public functions in yaSSLs
OpenSSL API to ya<function_name>. They will otherwise conflict
with OpenSSL functions if loaded by an application that uses OpenSSL
as well as libmysqlclient with yaSSL support.
- Add new function 'ssl_verify_server_cert' which is used if we are
connecting to the server with SSL. It will compare the hostname in
the server's cert against the hostname that we used when connecting
to the server. Will reject the connection if hostname does not match.
- Add new option "OPT_SSL_VERIFY_SERVER_CERT" to be passed to mysql_options
which will turn on checking of servers cert.
- Add new argument "ssl-verify-server-cert" to all mysql* clients which
will activate the above option.
- Generate a new server cert with 1024 bits that has "localhost" as the server name.