Timo,
Were there any further changes you wanted made to the patch?
It now defaults to having ssl_verify_server_cert enabled.
On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
On 22.11.2013, at 9.22, Patrick Ben Koetter p@sys4.de wrote:
- Timo Sirainen dovecot@dovecot.org:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.