mysql: Added ssl_verify_server_cert=no|yes parameter.

To make sure we don't break existing installations, default to "no". For
v2.3 it should default to "yes".

Patch by Gareth Palmer

diff --git a/configure.ac b/configure.ac
index d602fc8fe7a810f3f00996e92d40e3db5ab793bc..8cdb654a46a3b197bcbf4fedf3cda5bf225908c6 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2287,6 +2287,15 @@ if test $want_mysql != no; then
                                  mysql_set_ssl(0, 0, 0, 0, 0, 0);
                                ], [
                                        AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher)
+
+                                       AC_TRY_COMPILE([
+                                         $ssl_define
+                                         #include <mysql.h>
+                                       ], [
+                                         int i = MYSQL_OPT_SSL_VERIFY_SERVER_CERT;
+                                       ], [
+                                               AC_DEFINE(HAVE_MYSQL_SSL_VERIFY_SERVER_CERT,, Define if your MySQL library supports verifying the name in the SSL certificate)
+                                       ])
                                ])
                        ])
                        

diff --git a/doc/example-config/dovecot-sql.conf.ext b/doc/example-config/dovecot-sql.conf.ext
index 77e818718171a8a5ee9f66ef3eab452decf818d4..a434244885d04009d966dac5247bfca29ebbd80e 100644 (file)
--- a/doc/example-config/dovecot-sql.conf.ext
+++ b/doc/example-config/dovecot-sql.conf.ext
@@ -47,13 +47,15 @@
 #     host, port, user, password, dbname
 #
 #   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-#     option_file         - Read options from the given file instead of
-#                           the default my.cnf location
-#     option_group        - Read options from the given group (default: client)
+#     client_flags           - See MySQL manual
+#     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
+#     ssl_cert, ssl_key      - For sending client-side certificates to server
+#     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
+#     ssl_verify_server_cert - Verify that the name in the server SSL certificate
+#                              matches the host (default: no)
+#     option_file            - Read options from the given file instead of
+#                              the default my.cnf location
+#     option_group           - Read options from the given group (default: client)
 # 
 #   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
 #   Note that currently you can't use spaces in parameters.

diff --git a/src/lib-sql/driver-mysql.c b/src/lib-sql/driver-mysql.c
index 31c2c84278f6b3cb86004e9f7a244617375e309e..41ca9aa925d2ec05e0d527bac24f9e4071f91320 100644 (file)
--- a/src/lib-sql/driver-mysql.c
+++ b/src/lib-sql/driver-mysql.c
@@ -28,6 +28,7 @@ struct mysql_db {
        pool_t pool;
        const char *user, *password, *dbname, *host, *unix_socket;
        const char *ssl_cert, *ssl_key, *ssl_ca, *ssl_ca_path, *ssl_cipher;
+       int ssl_verify_server_cert;
        const char *option_file, *option_group;
        unsigned int port, client_flags;
        time_t last_success;
@@ -104,6 +105,10 @@ static int driver_mysql_connect(struct sql_db *_db)
                              , db->ssl_cipher
 #endif
                             );
+#ifdef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT
+               mysql_options(db->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                             &db->ssl_verify_server_cert);
+#endif
                db->ssl_set = TRUE;
 #else
                i_fatal("mysql: SSL support not compiled in "
@@ -152,6 +157,7 @@ static void driver_mysql_parse_connect_string(struct mysql_db *db,
        const char **field;
 
        db->ssl_cipher = "HIGH";
+       db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */
 
        args = t_strsplit_spaces(connect_string, " ");
        for (; *args != NULL; args++) {
@@ -187,7 +193,14 @@ static void driver_mysql_parse_connect_string(struct mysql_db *db,
                        field = &db->ssl_ca_path;
                else if (strcmp(name, "ssl_cipher") == 0)
                        field = &db->ssl_cipher;
-               else if (strcmp(name, "option_file") == 0)
+               else if (strcmp(name, "ssl_verify_server_cert") == 0) {
+                       if (strcmp(value, "yes") == 0)
+                               db->ssl_verify_server_cert = 1;
+                       else if (strcmp(value, "no") == 0)
+                               db->ssl_verify_server_cert = 0;
+                       else
+                               i_fatal("mysql: Invalid boolean: %s", value);
+               } else if (strcmp(name, "option_file") == 0)
                        field = &db->option_file;
                else if (strcmp(name, "option_group") == 0)
                        field = &db->option_group;