Fix for CONC-635: Disable TLS/SSL for named pipe/shared mem

Since the server doesn't support secure connections for shared memory and named pipe connections but indicates this capability by setting the CLIENT_SSL flag, we unset this flag in case the connection uses shared memory or named pipe.
mariadb-corporation · Apr 5, 2023 · 5a94570 · 5a94570
1 parent 2740335
commit 5a94570
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c
@@ -200,8 +200,6 @@ static int send_change_user_packet(MCPVIO_EXT *mpvio,
   return res;
 }
 
-
-
 static int send_client_reply_packet(MCPVIO_EXT *mpvio,
                                     const uchar *data, int data_len)
 {
@@ -237,6 +235,16 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
        to unset CLIENT_CONNECT_WITH_DB flag */
     mysql->client_flag&= ~CLIENT_CONNECT_WITH_DB;
 
+  /* CONC-635: For connections via named pipe or shared memory the server
+               indicates the capability for secure connections (TLS), but
+               doesn't support it. */
+  if ((mysql->server_capabilities & CLIENT_SSL) &&
+      (mysql->net.pvio->type == PVIO_TYPE_NAMEDPIPE ||
+       mysql->net.pvio->type == PVIO_TYPE_SHAREDMEM))
+  {
+    mysql->server_capabilities &= ~(CLIENT_SSL);
+  }
+
   /* if server doesn't support SSL and verification of server certificate
      was set to mandatory, we need to return an error */
   if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))