Skip to content

Commit 4ef7497

Browse files
committed
MDEV-7937: Enforce SSL when --ssl client option is used
Using --ssl-verify-server-cert and --ssl[-*] implies that the ssl connection is required. The mysql client will now print an error if ssl is required, but the server can not handle a ssl connection.
1 parent 56e2d83 commit 4ef7497

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

sql-common/client.c

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1801,6 +1801,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
18011801
mysql->options.ssl_ca= strdup_if_not_null(ca);
18021802
mysql->options.ssl_capath= strdup_if_not_null(capath);
18031803
mysql->options.ssl_cipher= strdup_if_not_null(cipher);
1804+
mysql->options.use_ssl= TRUE;
18041805
#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
18051806
DBUG_RETURN(0);
18061807
}
@@ -2491,13 +2492,10 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
24912492
mysql->client_flag|= CLIENT_MULTI_RESULTS;
24922493

24932494
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
2494-
if (mysql->options.ssl_key || mysql->options.ssl_cert ||
2495-
mysql->options.ssl_ca || mysql->options.ssl_capath ||
2496-
mysql->options.ssl_cipher)
2497-
mysql->options.use_ssl= 1;
24982495
if (mysql->options.use_ssl)
24992496
mysql->client_flag|= CLIENT_SSL;
25002497
#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY*/
2498+
25012499
if (mpvio->db)
25022500
mysql->client_flag|= CLIENT_CONNECT_WITH_DB;
25032501

@@ -2526,6 +2524,23 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
25262524
end= buff+5;
25272525
}
25282526
#ifdef HAVE_OPENSSL
2527+
2528+
/*
2529+
If client uses ssl and client also has to verify the server
2530+
certificate, a ssl connection is required.
2531+
If the server does not support ssl, we abort the connection.
2532+
*/
2533+
if (mysql->options.use_ssl &&
2534+
(mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) &&
2535+
!(mysql->server_capabilities & CLIENT_SSL))
2536+
{
2537+
set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
2538+
ER(CR_SSL_CONNECTION_ERROR),
2539+
"SSL is required, but the server does not "
2540+
"support it");
2541+
goto error;
2542+
}
2543+
25292544
if (mysql->client_flag & CLIENT_SSL)
25302545
{
25312546
/* Do the SSL layering. */

0 commit comments

Comments
 (0)