Skip to content

Commit c038bcb

Browse files
committed
Bug #11747191: 31224: SUPPORT FOR SSL CERTIFICATE REVOCATION LISTS
Added support for --ssl-crl and --ssl-crlpath to all client and server binaries that work with OpenSSL. You can specify none, one or both of the above. --ssl-crl takes a file path for a PEM encoded Certificate revocation lists. The relevant file is parsed and loaded into the X509 store of the SSL context. --ssl-crlpath takes a directory path. This directory must contain PEM encoded CRL (or other) files that are named by their hash value, .e.g. <hash_value>.r[0-9] See OpenSSL's X509_STORE_load_locations() for more details of the above. Note that if none of the --ssl-crl* options is specified no CRL checks will be performed, even if the -capath contains certificate revocation lists. Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command. Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info system table. Reengineered mysql_ssl_set() in the C API into a number of mysql_options calls as follows (while keeping mysql_ssl_set()): mysql_ssl_set(mysql, key, cert, ca, capath, cipher) { mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) } Added two new mysql_options that correspond to the command line calls : MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH. Made sure these play nicely with the ABI by using the extension. Added tests and a set of cryptographic keys and crls to test the new options. Extended the mtr ssl check to find the new tests. Made sure that on yaSSL these options are a no-op for the server.
1 parent 2999683 commit c038bcb

56 files changed

Lines changed: 759 additions & 40 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

client/client_priv.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,7 @@ enum options_client
9090
OPT_RAW_OUTPUT, OPT_WAIT_SERVER_ID, OPT_STOP_NEVER,
9191
OPT_BINLOG_ROWS_EVENT_MAX_SIZE,
9292
OPT_BINARY_MODE,
93+
OPT_SSL_CRL, OPT_SSL_CRLPATH,
9394
OPT_MAX_CLIENT_OPTION
9495
};
9596

client/mysql.cc

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4446,8 +4446,12 @@ sql_real_connect(char *host,char *database,char *user,char *password,
44464446
mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile);
44474447
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
44484448
if (opt_use_ssl)
4449+
{
44494450
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
44504451
opt_ssl_capath, opt_ssl_cipher);
4452+
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
4453+
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
4454+
}
44514455
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
44524456
(char*)&opt_ssl_verify_server_cert);
44534457
#endif

client/mysqladmin.cc

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -342,8 +342,12 @@ int main(int argc,char *argv[])
342342
}
343343
#ifdef HAVE_OPENSSL
344344
if (opt_use_ssl)
345+
{
345346
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
346347
opt_ssl_capath, opt_ssl_cipher);
348+
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
349+
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
350+
}
347351
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
348352
(char*)&opt_ssl_verify_server_cert);
349353
#endif

client/mysqlcheck.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -837,8 +837,12 @@ static int dbConnect(char *host, char *user, char *passwd)
837837
mysql_options(&mysql_connection, MYSQL_OPT_COMPRESS, NullS);
838838
#ifdef HAVE_OPENSSL
839839
if (opt_use_ssl)
840+
{
840841
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
841842
opt_ssl_capath, opt_ssl_cipher);
843+
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
844+
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
845+
}
842846
#endif
843847
if (opt_protocol)
844848
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqldump.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1469,8 +1469,12 @@ static int connect_to_db(char *host, char *user,char *passwd)
14691469
mysql_options(&mysql_connection,MYSQL_OPT_COMPRESS,NullS);
14701470
#ifdef HAVE_OPENSSL
14711471
if (opt_use_ssl)
1472+
{
14721473
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
14731474
opt_ssl_capath, opt_ssl_cipher);
1475+
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
1476+
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
1477+
}
14741478
mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
14751479
(char*)&opt_ssl_verify_server_cert);
14761480
#endif

client/mysqlimport.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -428,8 +428,12 @@ static MYSQL *db_connect(char *host, char *database,
428428
(char*) &opt_local_file);
429429
#ifdef HAVE_OPENSSL
430430
if (opt_use_ssl)
431+
{
431432
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
432433
opt_ssl_capath, opt_ssl_cipher);
434+
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
435+
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
436+
}
433437
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
434438
(char*)&opt_ssl_verify_server_cert);
435439
#endif

client/mysqlshow.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,8 +115,12 @@ int main(int argc, char **argv)
115115
mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
116116
#ifdef HAVE_OPENSSL
117117
if (opt_use_ssl)
118+
{
118119
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
119120
opt_ssl_capath, opt_ssl_cipher);
121+
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
122+
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
123+
}
120124
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
121125
(char*)&opt_ssl_verify_server_cert);
122126
#endif

client/mysqlslap.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -332,8 +332,12 @@ int main(int argc, char **argv)
332332
mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
333333
#ifdef HAVE_OPENSSL
334334
if (opt_use_ssl)
335+
{
335336
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
336337
opt_ssl_capath, opt_ssl_cipher);
338+
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
339+
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
340+
}
337341
#endif
338342
if (opt_protocol)
339343
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqltest.cc

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5403,6 +5403,8 @@ void do_connect(struct st_command *command)
54035403
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
54045404
mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
54055405
opt_ssl_capath, opt_ssl_cipher);
5406+
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
5407+
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
54065408
#if MYSQL_VERSION_ID >= 50000
54075409
/* Turn on ssl_verify_server_cert only if host is "localhost" */
54085410
opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
@@ -8443,6 +8445,8 @@ int main(int argc, char **argv)
84438445
{
84448446
mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
84458447
opt_ssl_capath, opt_ssl_cipher);
8448+
mysql_options(&con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
8449+
mysql_options(&con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
84468450
#if MYSQL_VERSION_ID >= 50000
84478451
/* Turn on ssl_verify_server_cert only if host is "localhost" */
84488452
opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost");

include/mysql.h

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,10 @@ enum mysql_option
167167
MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
168168
MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
169169
MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
170-
MYSQL_OPT_BIND
170+
MYSQL_OPT_BIND,
171+
MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT,
172+
MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER,
173+
MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH
171174
};
172175

173176
/**

0 commit comments

Comments
 (0)