change how self-signed certs are accepted by internal client

use SSL_VERIFY_PEER with the "always ok" callback, instead of SSL_VERIFY_NONE with no callback. The latter doesn't work correctly in wolfSSL, it accepts self-signed certificates just fine (as in OpenSSL), but after that SSL_get_verify_result() returns X509_V_OK, while it returns an error (e.g. X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) in OpenSSL.
MariaDB · Feb 4, 2024 · 2f13f7d · 2f13f7d
1 parent 05a421e
commit 2f13f7d
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
@@ -457,6 +457,10 @@ new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file,
   DBUG_RETURN(0);
 }
 
+int always_ok(int preverify, X509_STORE_CTX* store)
+{
+    return 1;
+}
 
 /************************ VioSSLConnectorFd **********************************/
 struct st_VioSSLFd *
@@ -466,14 +470,14 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
                       const char *crl_file, const char *crl_path)
 {
   struct st_VioSSLFd *ssl_fd;
-  int verify= SSL_VERIFY_PEER;
+  int (*cb)(int, X509_STORE_CTX *) = NULL;
 
   /*
-    Turn off verification of servers certificate if both
-    ca_file and ca_path is set to NULL
+    Don't abort when the certificate cannot be verified if neither
+    ca_file nor ca_path were set.
   */
   if ((ca_file == 0 || ca_file[0] == 0) && (ca_path == 0 || ca_path[0] == 0))
-    verify= SSL_VERIFY_NONE;
+    cb= always_ok;
 
   /* Init the VioSSLFd as a "connector" ie. the client side */
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher,
@@ -482,8 +486,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
     return 0;
   }
 
-  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
-
+  SSL_CTX_set_verify(ssl_fd->ssl_context, SSL_VERIFY_PEER, cb);
   return ssl_fd;
 }