[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT

Gareth Palmer gareth at acsdata.co.nz
Fri Nov 22 01:10:09 EET 2013


On Fri, 2013-11-22 at 00:42 +0200, Timo Sirainen wrote:
> On 22.11.2013, at 0.35, Gareth Palmer <gareth at acsdata.co.nz> wrote:
> 
> > The following patch adds support for enabling
> > MYSQL_OPT_SSL_VERIFY_SERVER_CERT. 
> > 
> > It makes the mysql client library check that the commonName in the
> > server's SSL certificate matches the host name provided to
> > mysql_real_connect() and aborts the connection if the name doesn't
> > match.
> > 
> > An example connect string would look something like:
> > 
> > connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes
> > 
> > By default the mysql client library does not perform this check.
> 
> If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.

Apart from possibly breaking existing installations and that mysql
client library allows it to be disabled, I can't think of a good reason
why someone wouldn't enable it.





More information about the dovecot mailing list