On Fri, 2013-11-22 at 00:42 +0200, Timo Sirainen wrote:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
An example connect string would look something like:
connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes
By default the mysql client library does not perform this check.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
Apart from possibly breaking existing installations and that mysql client library allows it to be disabled, I can't think of a good reason why someone wouldn't enable it.