MDEV-27105 --ssl option set as default for mariadb CLI

but without server cert verification

Author: vuvova

client/mysqltest.cc

@@ -6118,12 +6118,8 @@ void do_connect(struct st_command *command)
     mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
     mysql_options(con_slot->mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
-#if MYSQL_VERSION_ID >= 50000
-    /* Turn on ssl_verify_server_cert only if host is "localhost" */
-    opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
     mysql_options(con_slot->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                   &opt_ssl_verify_server_cert);
-#endif
   }
 #endif
 
@@ -9849,12 +9845,8 @@ int main(int argc, char **argv)
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
-#if MYSQL_VERSION_ID >= 50000
-    /* Turn on ssl_verify_server_cert only if host is "localhost" */
-    opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost");
     mysql_options(con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                   &opt_ssl_verify_server_cert);
-#endif
   }
 #endif
 

include/sslopt-longopts.h

@@ -21,7 +21,7 @@
 
   {"ssl", OPT_SSL_SSL,
    "Enable SSL for connection (automatically enabled with other flags).",
-   &opt_use_ssl, &opt_use_ssl, 0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0},
+   &opt_use_ssl, &opt_use_ssl, 0, GET_BOOL, OPT_ARG, 1, 0, 0, 0, 0, 0},
   {"ssl-ca", OPT_SSL_CA,
    "CA file in PEM format (check OpenSSL docs, implies --ssl).",
    &opt_ssl_ca, &opt_ssl_ca, 0, GET_STR, REQUIRED_ARG,

include/sslopt-vars.h

@@ -22,7 +22,7 @@
 #else
 #define SSL_STATIC static
 #endif
-SSL_STATIC my_bool opt_use_ssl   = 0;
+SSL_STATIC my_bool opt_use_ssl   = 1;
 SSL_STATIC char *opt_ssl_ca      = 0;
 SSL_STATIC char *opt_ssl_capath  = 0;
 SSL_STATIC char *opt_ssl_cert    = 0;

mysql-test/main/openssl_1.test

@@ -72,7 +72,7 @@ drop table t1;
 # Handle that openssl gives different error messages from YaSSL.
 --replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
 --error 1
---exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+--exec $MYSQL_TEST --ssl-verify-server-cert --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
 --echo
 
 #

mysql-test/main/ssl_7937,nossl.result

@@ -12,4 +12,10 @@ mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
 ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it
 mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it
+#
+# MDEV-27105 --ssl option set as default for mariadb CLI
+#
+mysql -e "call test.have_ssl()"
+have_ssl
+no
 drop procedure have_ssl;

mysql-test/main/ssl_7937.result

@@ -13,4 +13,10 @@ have_ssl
 yes
 mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
+#
+# MDEV-27105 --ssl option set as default for mariadb CLI
+#
+mysql -e "call test.have_ssl()"
+have_ssl
+yes
 drop procedure have_ssl;

mysql-test/main/ssl_7937.test

@@ -23,4 +23,10 @@ create procedure have_ssl()
 --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 --replace_regex /SSL connection error.*certificate[^\n]*/SSL connection error: Failed to verify the server certificate/
 --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
+
+--echo #
+--echo # MDEV-27105 --ssl option set as default for mariadb CLI
+--echo #
+--echo mysql -e "call test.have_ssl()"
+--exec $MYSQL -e "call test.have_ssl()"
 drop procedure have_ssl;