dovecot-2.2: mysql: Added ssl_verify_server_cert=no|yes parameter.
dovecot at dovecot.org
dovecot at dovecot.org
Mon Dec 9 00:03:07 EET 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/7a7898ffe87f
changeset: 17053:7a7898ffe87f
user: Timo Sirainen <tss at iki.fi>
date: Mon Dec 09 00:02:58 2013 +0200
description:
mysql: Added ssl_verify_server_cert=no|yes parameter.
To make sure we don't break existing installations, default to "no". For
v2.3 it should default to "yes".
Patch by Gareth Palmer
diffstat:
configure.ac | 9 +++++++++
doc/example-config/dovecot-sql.conf.ext | 16 +++++++++-------
src/lib-sql/driver-mysql.c | 15 ++++++++++++++-
3 files changed, 32 insertions(+), 8 deletions(-)
diffs (91 lines):
diff -r 353c3e3edc52 -r 7a7898ffe87f configure.ac
--- a/configure.ac Sun Dec 08 23:41:33 2013 +0200
+++ b/configure.ac Mon Dec 09 00:02:58 2013 +0200
@@ -2287,6 +2287,15 @@
mysql_set_ssl(0, 0, 0, 0, 0, 0);
], [
AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher)
+
+ AC_TRY_COMPILE([
+ $ssl_define
+ #include <mysql.h>
+ ], [
+ int i = MYSQL_OPT_SSL_VERIFY_SERVER_CERT;
+ ], [
+ AC_DEFINE(HAVE_MYSQL_SSL_VERIFY_SERVER_CERT,, Define if your MySQL library supports verifying the name in the SSL certificate)
+ ])
])
])
diff -r 353c3e3edc52 -r 7a7898ffe87f doc/example-config/dovecot-sql.conf.ext
--- a/doc/example-config/dovecot-sql.conf.ext Sun Dec 08 23:41:33 2013 +0200
+++ b/doc/example-config/dovecot-sql.conf.ext Mon Dec 09 00:02:58 2013 +0200
@@ -47,13 +47,15 @@
# host, port, user, password, dbname
#
# But also adds some new settings:
-# client_flags - See MySQL manual
-# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-# ssl_cert, ssl_key - For sending client-side certificates to server
-# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
-# option_file - Read options from the given file instead of
-# the default my.cnf location
-# option_group - Read options from the given group (default: client)
+# client_flags - See MySQL manual
+# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
+# ssl_cert, ssl_key - For sending client-side certificates to server
+# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
+# ssl_verify_server_cert - Verify that the name in the server SSL certificate
+# matches the host (default: no)
+# option_file - Read options from the given file instead of
+# the default my.cnf location
+# option_group - Read options from the given group (default: client)
#
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
# Note that currently you can't use spaces in parameters.
diff -r 353c3e3edc52 -r 7a7898ffe87f src/lib-sql/driver-mysql.c
--- a/src/lib-sql/driver-mysql.c Sun Dec 08 23:41:33 2013 +0200
+++ b/src/lib-sql/driver-mysql.c Mon Dec 09 00:02:58 2013 +0200
@@ -28,6 +28,7 @@
pool_t pool;
const char *user, *password, *dbname, *host, *unix_socket;
const char *ssl_cert, *ssl_key, *ssl_ca, *ssl_ca_path, *ssl_cipher;
+ int ssl_verify_server_cert;
const char *option_file, *option_group;
unsigned int port, client_flags;
time_t last_success;
@@ -104,6 +105,10 @@
, db->ssl_cipher
#endif
);
+#ifdef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT
+ mysql_options(db->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+ &db->ssl_verify_server_cert);
+#endif
db->ssl_set = TRUE;
#else
i_fatal("mysql: SSL support not compiled in "
@@ -152,6 +157,7 @@
const char **field;
db->ssl_cipher = "HIGH";
+ db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */
args = t_strsplit_spaces(connect_string, " ");
for (; *args != NULL; args++) {
@@ -187,7 +193,14 @@
field = &db->ssl_ca_path;
else if (strcmp(name, "ssl_cipher") == 0)
field = &db->ssl_cipher;
- else if (strcmp(name, "option_file") == 0)
+ else if (strcmp(name, "ssl_verify_server_cert") == 0) {
+ if (strcmp(value, "yes") == 0)
+ db->ssl_verify_server_cert = 1;
+ else if (strcmp(value, "no") == 0)
+ db->ssl_verify_server_cert = 0;
+ else
+ i_fatal("mysql: Invalid boolean: %s", value);
+ } else if (strcmp(name, "option_file") == 0)
field = &db->option_file;
else if (strcmp(name, "option_group") == 0)
field = &db->option_group;
More information about the dovecot-cvs
mailing list