New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use native host check from OpenSSL #196

Closed
wants to merge 1 commit into
base: 8.0
from

Conversation

Projects
None yet
2 participants
@dveeden

dveeden commented Feb 4, 2018

This results in support for Subject Alternative Name
Bug #68052 | SSL Certificate Subject ALT Names with IPs not respected with --ssl-verify-serve

To completely fix the above but a call to X509_check_ip would also be needed.

Note that X509_check_host(3) says:
"Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling X509_check_host(3)."
Which is described on https://wiki.openssl.org/index.php/Hostname_validation

However to use X509_VERIFY_PARAM_set1_host() we need to do that just before
creating the connection. That should be done in ssl_do() which is called from
sslconnect(). But then ssl_do() needs to know the ssl_mode and hostname, which
it currently doesn't. Note that ssl_verify_server_cert() is called when the
connection is already created.

Use native host check from OpenSSL
This results in support for Subject Alternative Name
https://bugs.mysql.com/bug.php?id=68052

Note that https://www.openssl.org/docs/manmaster/man3/X509_check_host.html says:
"Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling X509_check_host(3)."
Which is described on https://wiki.openssl.org/index.php/Hostname_validation

However to use X509_VERIFY_PARAM_set1_host() we need to do that just before
creating the connection. That should be done in ssl_do() which is called from
sslconnect(). But then ssl_do() needs to know the ssl_mode and hostname, which
it currently doesn't. Note that ssl_verify_server_cert() is called when the
connection is already created.
@mysql-oca-bot

This comment has been minimized.

mysql-oca-bot commented Feb 5, 2018

Hi, thank you for your contribution. Please confirm this code is submitted under the terms of the OCA (Oracle's Contribution Agreement) you have previously signed by cutting and pasting the following text as a comment:
"I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it."
Thanks

@dveeden

This comment has been minimized.

dveeden commented Feb 5, 2018

I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

@mysql-oca-bot

This comment has been minimized.

mysql-oca-bot commented Feb 7, 2018

Hi, thank you for your contribution. Your code has been assigned to an internal queue. Please follow
bug http://bugs.mysql.com/bug.php?id=89578 for updates.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment