Set ssl_mode for Oracle MySQL if applicable.

perl5-dbi · Mar 19, 2017 · 558959a · 558959a
1 parent a8e1750
commit 558959a
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 9 deletions.
diff --git a/dbdimp.c b/dbdimp.c
@@ -2052,16 +2052,14 @@ MYSQL *mysql_dr_connect(
 	    char *ca_path = NULL;
 	    char *cipher = NULL;
 	    STRLEN lna;
-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION
-            /*
-              New code to utilise MySQLs new feature that verifies that the
-              server's hostname that the client connects to matches that of
-              the certificate
-            */
+#ifdef MYSQL_SSL_MODE
+            unsigned int ssl_mode = SSL_MODE_PREFERRED;
+#endif
+            /* Verify if the hostname we connect to matches the hostname in the certificate */
 	    my_bool ssl_verify_true = 0;
 	    if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE))  &&  *svp)
 	      ssl_verify_true = SvTRUE(*svp);
-#endif
+
 	    if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp)
 	      client_key = SvPV(*svp, lna);
 
@@ -2083,11 +2081,33 @@ MYSQL *mysql_dr_connect(
 
 	    mysql_ssl_set(sock, client_key, client_cert, ca_file,
 			  ca_path, cipher);
-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION
+#ifdef MYSQL_SSL_MODE
+            if (ssl_verify_true)
+              ssl_mode = SSL_MODE_VERIFY_IDENTITY;
+            else if (ca_file && (strlen(ca_file) > 0))
+              ssl_mode = SSL_MODE_VERIFY_CA;
+            else if (ca_path && (strlen(ca_path) > 0))
+              ssl_mode = SSL_MODE_VERIFY_CA;
+	    mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode);
+#elif MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION || MYSQL_VERSION_ID >= MARIADB_VERSION_10
 	    mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify_true);
+#if MYSQL_VERSION_ID >= SSL_ENFORCE_VERSION && MYSQL_VERSION_ID <= SSL_LAST_ENFORCE_VERSION
+            /* Only needed for Oracle MySQL 5.7 if MYSQL_OPT_SSL_MODE is not available */
+	    mysql_options(sock, MYSQL_OPT_SSL_ENFORCE, &ssl_verify_true);
+#endif
+#else
+            die("Can't enable strict certificate checks");
 #endif
 	    client_flag |= CLIENT_SSL;
+#ifdef MYSQL_SSL_MODE
 	  }
+          else
+          {
+            /* mysql_ssl=0 */
+            unsigned int ssl_mode = SSL_MODE_DISABLED;
+            mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode);
+#endif
+          }
 	}
 #endif
 #if (MYSQL_VERSION_ID >= 32349)

diff --git a/dbdimp.h b/dbdimp.h
@@ -61,12 +61,17 @@
 #define NEW_DATATYPE_VERSION 50003
 #define SSL_VERIFY_VERSION 50023
 #define SSL_LAST_VERIFY_VERSION 50799
+#define SSL_ENFORCE_VERSION 50703
+#define SSL_LAST_ENFORCE_VERSION 50799
 #define MYSQL_VERSION_5_0 50001
+#define MARIADB_VERSION_10 100000
 /* This is to avoid the ugly #ifdef mess in dbdimp.c */
 #if MYSQL_VERSION_ID < SQL_STATE_VERSION
 #define mysql_sqlstate(svsock) (NULL)
 #endif
-
+#if MYSQL_VERSION_ID > 50710 && MYSQL_VERSION_ID < MARIADB_VERSION_10
+#define MYSQL_SSL_MODE
+#endif
 /*
  * This is the versions of libmysql that supports MySQL Fabric.
 */