Gareth Palmer
2013-Nov-21 22:35 UTC
[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT
Hello, The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT. It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match. An example connect string would look something like: connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes By default the mysql client library does not perform this check. -------------- next part -------------- A non-text attachment was scrubbed... Name: ssl-verify-server-cert-20131106.patch Type: text/x-patch Size: 4655 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20131122/01c168af/attachment.bin>
Timo Sirainen
2013-Nov-21 22:42 UTC
[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT
On 22.11.2013, at 0.35, Gareth Palmer <gareth at acsdata.co.nz> wrote:> The following patch adds support for enabling > MYSQL_OPT_SSL_VERIFY_SERVER_CERT. > > It makes the mysql client library check that the commonName in the > server's SSL certificate matches the host name provided to > mysql_real_connect() and aborts the connection if the name doesn't > match. > > An example connect string would look something like: > > connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes > > By default the mysql client library does not perform this check.If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn?t break any v2.2 installations even accidentally, but for v2.3 I don?t really see any point of not having this enabled unconditionally.