[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT
Gareth Palmer
gareth at acsdata.co.nz
Wed Dec 4 06:31:11 EET 2013
Timo,
Were there any further changes you wanted made to the patch?
It now defaults to having ssl_verify_server_cert enabled.
On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
> On 22.11.2013, at 9.22, Patrick Ben Koetter <p at sys4.de> wrote:
>
> > * Timo Sirainen <dovecot at dovecot.org>:
> >> On 22.11.2013, at 0.35, Gareth Palmer <gareth at acsdata.co.nz> wrote:
> >>
> >>> The following patch adds support for enabling
> >>> MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
> >>>
> >>> It makes the mysql client library check that the commonName in the
> >>> server's SSL certificate matches the host name provided to
> >>> mysql_real_connect() and aborts the connection if the name doesn't
> >>> match.
> >>
> >> If someone goes through the trouble of using SSL with MySQL .. should this
> >> even be optional? I guess I shouldn’t break any v2.2 installations even
> >> accidentally, but for v2.3 I don’t really see any point of not having this
> >> enabled unconditionally.
> >
> > It should be optional or it will break other running systems when the
> > update/upgrade.
>
> But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-verify-server-cert-20131120.patch
Type: text/x-patch
Size: 4615 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131204/58bc2b69/attachment.bin>
More information about the dovecot
mailing list