Looking for a problem that leads to instability of ssl tests for Galera, I seem to have found an issue in the description of the ssl options for the client and server in the sslopt-longopts.h file. In this snippet:
{"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",
|
&opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG,
|
0, 0, 0, 0, 0, 0},
|
{"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).",
|
&opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,
|
0, 0, 0, 0, 0, 0},
|
{"ssl-crlpath", OPT_SSL_KEY,
|
"Certificate revocation list path (implies --ssl).",
|
&opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
|
0, 0, 0, 0, 0, 0},
|
the OPT_SSL_KEY option code is repeated three times, although this is probably the result of copy-paste. Also a question about assigning "opt_ssl_crl= NULL;" in the sslopt-case.h - perhaps (not sure) there may be a memory leak.
Also, in several client files, a common fragment similar to this is repeated:
#ifdef HAVE_OPENSSL
|
if (opt_use_ssl)
|
{
|
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
|
opt_ssl_capath, opt_ssl_cipher);
|
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
|
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
|
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
|
}
|
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
|
(char*)&opt_ssl_verify_server_cert);
|
#endif /*HAVE_OPENSSL*/
|
There is a possibility that sometimes the option MARIADB_OPT_TLS_VERSION and/or MYSQL_OPT_SSL_VERIFY_SERVER_CERT is forgotten there (mysqlcheck.c, mysqltest.cc, mysqlslap.c)
Also in slave.cc there is a fragment with an explicit repetition:
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
|
&mi->ssl_verify_server_cert);
|
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH,
|
mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);
|
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
|
&mi->ssl_verify_server_cert);
|
Probably there in the first case there should be the MYSQL_OPT_SSL_CRL. option. And perhaps MARIADB_OPT_TLS_VERSION is forgotten here.
And mariadb_lib.c file, this fragment:
case MYSQL_OPT_SSL_CRL:
|
*((char **)arg)= mysql->options.extension ? mysql->options.ssl_cipher : NULL;
|
break;
|
"mysql->options.ssl_cipher" probably should be replaced to "mysql->options.extension->ssl_crl"
Critical