Skip to content

Make sure ssl is enabled if only :sslverify is set #889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sodabrew merged 1 commit into from
Nov 14, 2017
Merged

Make sure ssl is enabled if only :sslverify is set #889

sodabrew merged 1 commit into from
Nov 14, 2017

Conversation

@rhafer
Copy link
Contributor

@rhafer rhafer commented Sep 20, 2017

Previously, when "sslverify: false/true" was the only ssl related
options passed to the constructor, the module skipped the call to
"mysql_ssl_set". It seems however that for some variants for the mysql
client libraries calling "mysql_ssl_set" is the only way to enable SSL
for the client connections. (E.g. the libraries shipped as part of
mariadb 10.1 still lack support for MYSQL_OPT_SSL_ENFORCE and
MYSQL_OPT_SSL_MODE)

This change allows enabling ssl with default values for all other
options by just passing "sslverify: true" or "sslverify: false" to the
constructor. (Depending on whether server certificate verification is
wanted or not)

@rhafer
Make sure ssl is enabled if only :sslverify is set
00ac056 
Previously, when "sslverify: false/true" was the only ssl related
options passed to the constructor, the module skipped the call to
"mysql_ssl_set". It seems however that for some variants for the mysql
client libraries calling "mysql_ssl_set" is the only way to enable SSL
for the client connections. (E.g. the libraries shipped as part of
mariadb 10.1 still lack support for MYSQL_OPT_SSL_ENFORCE and
MYSQL_OPT_SSL_MODE)

This change allows enabling ssl with default values for all other
options by just passing "sslverify: true" or "sslverify: false" to the
constructor. (Depending on whether server certificate verification is
wanted or not)
@jsuchome jsuchome mentioned this pull request Sep 20, 2017
Merged
@sodabrew
Copy link
Collaborator

sodabrew commented Sep 21, 2017

Based on my reading of https://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-set.html if all of the arguments to mysql_ssl_set are NULL, then it is a no-op. I haven't confirmed if the actual client code matches the documentation on this point.

Based on https://dev.mysql.com/doc/refman/5.7/en/c-api-encrypted-connections.html the way to enforce SSL is to call mysql_options(... MYSQL_OPT_SSL_MODE ... SSL_MODE_REQUIRED).

@rhafer
Copy link
Contributor Author

rhafer commented Sep 21, 2017

Based on my reading of https://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-set.html if all of the arguments to mysql_ssl_set are NULL, then it is a no-op. I haven't confirmed if the actual client code matches the documentation on this point.

This doesn't seem to be true for mariadb 10.1:
https://github.com/MariaDB/server/blob/10.1/sql-common/client.c#L1683

Even if it's called with all arguments NULL it still sets mysql->options.use_ssl= TRUE;

Based on https://dev.mysql.com/doc/refman/5.7/en/c-api-encrypted-connections.html the way to enforce SSL is to call mysql_options(... MYSQL_OPT_SSL_MODE ... SSL_MODE_REQUIRED).

Unfortunately mariadb 10.1 (which AFAIK is still officially maintained) doesn't have those options.

@sodabrew
Copy link
Collaborator

sodabrew commented Sep 21, 2017

Makes sense now! Thanks for linking to the relevant line of code in the driver.

jhesketh
jhesketh reviewed Sep 25, 2017
View reviewed changes
Copy link

@jhesketh jhesketh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm;

@rhafer
Copy link
Contributor Author

rhafer commented Oct 16, 2017

@sodabrew Hi. Is there any chance to get this merged?

@sodabrew sodabrew mentioned this pull request Nov 14, 2017
Open
sodabrew
sodabrew reviewed Nov 14, 2017
View reviewed changes
lib/mysql2/client.rb

ssl_options = opts.values_at(:sslkey, :sslcert, :sslca, :sslcapath, :sslcipher)
ssl_set(*ssl_options) if ssl_options.any?
ssl_set(*ssl_options) if ssl_options.any? || opts.key?(:sslverify)
Copy link
Collaborator

@sodabrew sodabrew Nov 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will turn on ssl even if the only flag is sslverify: false which doesn't quite make sense to me.

Copy link
Collaborator

@sodabrew sodabrew Nov 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think given #879 that ssl_set should be called if any value of :ssl_mode is set, too.

@sodabrew sodabrew merged commit cffb76d into brianmario:master Nov 14, 2017
@sodabrew sodabrew added this to the 0.4.10 milestone Nov 14, 2017
This was referenced Mar 16, 2018
Merged
Closed
Closed
Merged
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sodabrew sodabrew sodabrew left review comments

+1 more reviewer

@jhesketh jhesketh jhesketh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.4.10

Development

Successfully merging this pull request may close these issues.

3 participants

@rhafer @sodabrew @jhesketh