On 22.11.2013, at 9.22, Patrick Ben Koetter <p@sys4.de> wrote:
- Timo Sirainen <dovecot@dovecot.org>:
On 22.11.2013, at 0.35, Gareth Palmer <gareth@acsdata.co.nz> wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.