if the client enabled --ssl-verify-server-cert, then
the server certificate is verified as follows:
* if --ssl-ca or --ssl-capath were specified, the cert must have
a proper signature by the specified CA (or CA in the path)
and the cert's hostname must match the server's hostname.
If the cert isn't signed or a hostname is wrong - the
connection is aborted.
* if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches,
the connection is allowed, if it doesn't match - aborted.
* If the connection uses unix socket or named pipes - it's allowed.
(consistent with server's --require-secure-transport behavior)
otherwise the cert is still in doubt, we don't know if we can trust
it or there's an active MitM in progress.
* If the user has provided no password or the server requested an
authentication plugin that sends the password in cleartext -
the connection is aborted.
* Perform the authentication. If the server accepts the password,
it'll send SHA2(scramble || password hash || cert fingerprint)
with the OK packet.
* Verify the SHA2 digest, if it matches - the connection is allowed,
otherwise it's aborted.
Touch attribute file to fix errors like:
Can't open ./demoCA/index.txt.attr for reading,
No such file or directory
140553384993216:error:02001002:system library:
fopen:No such file or directory:../crypto/bio/bss_file.c:72:
fopen('./demoCA/index.txt.attr','r')
140553384993216:error:2006D080:BIO routines:
BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Check that the request matches the signature
* fix CRL tests to work
* regenerate certificates to be at least 2048 bit
(fixes buster and rhel8 in buildbot)
* update generate-ssl-cert.sh to generate crl files
* make all SSL tests to use certificates generated
in generate-ssl-cert.sh, remove unused certificates
Backport from 10.4 9c60535f86
and make sure that private ca key is not deleted at the end of
the procedure, so that we could generate additional certificates
any time without regenerating everything
Revoked executable bit from files that are not supposed to be executed directly.
Removed interpreted from files that are not supposed to be executed directly.
Added interpreter to files that are supposed to be executed directly.
Don't use a fixed buffer for X509_NAME_oneline() in the client.
Do as the server does - allocate it dynamically.
For a test - regenerate certificates to have the server cert with
a long subject.
