Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29817

Issues with handling options for SSL CRLs (and some others)

    XMLWordPrintable

Details

    Description

      Looking for a problem that leads to instability of ssl tests for Galera, I seem to have found an issue in the description of the ssl options for the client and server in the sslopt-longopts.h file. In this snippet:

        {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",
         &opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG,
         0, 0, 0, 0, 0, 0},
        {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).",
         &opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,
         0, 0, 0, 0, 0, 0},
        {"ssl-crlpath", OPT_SSL_KEY, 
          "Certificate revocation list path (implies --ssl).",
         &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
         0, 0, 0, 0, 0, 0},

      the OPT_SSL_KEY option code is repeated three times, although this is probably the result of copy-paste. Also a question about assigning "opt_ssl_crl= NULL;" in the sslopt-case.h - perhaps (not sure) there may be a memory leak.

      Also, in several client files, a common fragment similar to this is repeated:

      #ifdef HAVE_OPENSSL
        if (opt_use_ssl)
        {
          mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
                        opt_ssl_capath, opt_ssl_cipher);
          mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
          mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
          mysql_options(mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
        }
        mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                      (char*)&opt_ssl_verify_server_cert);
      #endif /*HAVE_OPENSSL*/

      There is a possibility that sometimes the option MARIADB_OPT_TLS_VERSION and/or MYSQL_OPT_SSL_VERIFY_SERVER_CERT is forgotten there (mysqlcheck.c, mysqltest.cc, mysqlslap.c)

      Also in slave.cc there is a fragment with an explicit repetition:

        mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                        &mi->ssl_verify_server_cert);
          mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, 
                        mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);
          mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                        &mi->ssl_verify_server_cert);

      Probably there in the first case there should be the MYSQL_OPT_SSL_CRL. option. And perhaps MARIADB_OPT_TLS_VERSION is forgotten here.

      And mariadb_lib.c file, this fragment:

      case MYSQL_OPT_SSL_CRL:
          *((char **)arg)= mysql->options.extension ? mysql->options.ssl_cipher : NULL;
          break;

      "mysql->options.ssl_cipher" probably should be replaced to "mysql->options.extension->ssl_crl"

      Attachments

        Activity

          People

            sysprg Julius Goryavsky
            sysprg Julius Goryavsky
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.