From 09d0ffb0ddfbebb4a04b377b9f879c05749de54f Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Mon, 9 Dec 2013 00:02:58 +0200 Subject: [PATCH] mysql: Added ssl_verify_server_cert=no|yes parameter. To make sure we don't break existing installations, default to "no". For v2.3 it should default to "yes". Patch by Gareth Palmer --- configure.ac | 9 +++++++++ doc/example-config/dovecot-sql.conf.ext | 16 +++++++++------- src/lib-sql/driver-mysql.c | 15 ++++++++++++++- 3 files changed, 32 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index d602fc8fe7..8cdb654a46 100644 --- a/configure.ac +++ b/configure.ac @@ -2287,6 +2287,15 @@ if test $want_mysql != no; then mysql_set_ssl(0, 0, 0, 0, 0, 0); ], [ AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher) + + AC_TRY_COMPILE([ + $ssl_define + #include + ], [ + int i = MYSQL_OPT_SSL_VERIFY_SERVER_CERT; + ], [ + AC_DEFINE(HAVE_MYSQL_SSL_VERIFY_SERVER_CERT,, Define if your MySQL library supports verifying the name in the SSL certificate) + ]) ]) ]) diff --git a/doc/example-config/dovecot-sql.conf.ext b/doc/example-config/dovecot-sql.conf.ext index 77e8187181..a434244885 100644 --- a/doc/example-config/dovecot-sql.conf.ext +++ b/doc/example-config/dovecot-sql.conf.ext @@ -47,13 +47,15 @@ # host, port, user, password, dbname # # But also adds some new settings: -# client_flags - See MySQL manual -# ssl_ca, ssl_ca_path - Set either one or both to enable SSL -# ssl_cert, ssl_key - For sending client-side certificates to server -# ssl_cipher - Set minimum allowed cipher security (default: HIGH) -# option_file - Read options from the given file instead of -# the default my.cnf location -# option_group - Read options from the given group (default: client) +# client_flags - See MySQL manual +# ssl_ca, ssl_ca_path - Set either one or both to enable SSL +# ssl_cert, ssl_key - For sending client-side certificates to server +# ssl_cipher - Set minimum allowed cipher security (default: HIGH) +# ssl_verify_server_cert - Verify that the name in the server SSL certificate +# matches the host (default: no) +# option_file - Read options from the given file instead of +# the default my.cnf location +# option_group - Read options from the given group (default: client) # # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock # Note that currently you can't use spaces in parameters. diff --git a/src/lib-sql/driver-mysql.c b/src/lib-sql/driver-mysql.c index 31c2c84278..41ca9aa925 100644 --- a/src/lib-sql/driver-mysql.c +++ b/src/lib-sql/driver-mysql.c @@ -28,6 +28,7 @@ struct mysql_db { pool_t pool; const char *user, *password, *dbname, *host, *unix_socket; const char *ssl_cert, *ssl_key, *ssl_ca, *ssl_ca_path, *ssl_cipher; + int ssl_verify_server_cert; const char *option_file, *option_group; unsigned int port, client_flags; time_t last_success; @@ -104,6 +105,10 @@ static int driver_mysql_connect(struct sql_db *_db) , db->ssl_cipher #endif ); +#ifdef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT + mysql_options(db->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + &db->ssl_verify_server_cert); +#endif db->ssl_set = TRUE; #else i_fatal("mysql: SSL support not compiled in " @@ -152,6 +157,7 @@ static void driver_mysql_parse_connect_string(struct mysql_db *db, const char **field; db->ssl_cipher = "HIGH"; + db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */ args = t_strsplit_spaces(connect_string, " "); for (; *args != NULL; args++) { @@ -187,7 +193,14 @@ static void driver_mysql_parse_connect_string(struct mysql_db *db, field = &db->ssl_ca_path; else if (strcmp(name, "ssl_cipher") == 0) field = &db->ssl_cipher; - else if (strcmp(name, "option_file") == 0) + else if (strcmp(name, "ssl_verify_server_cert") == 0) { + if (strcmp(value, "yes") == 0) + db->ssl_verify_server_cert = 1; + else if (strcmp(value, "no") == 0) + db->ssl_verify_server_cert = 0; + else + i_fatal("mysql: Invalid boolean: %s", value); + } else if (strcmp(name, "option_file") == 0) field = &db->option_file; else if (strcmp(name, "option_group") == 0) field = &db->option_group; -- 2.47.3