[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT
Timo Sirainen
tss at iki.fi
Fri Nov 22 13:52:11 EET 2013
On 22.11.2013, at 9.22, Patrick Ben Koetter <p at sys4.de> wrote:
> * Timo Sirainen <dovecot at dovecot.org>:
>> On 22.11.2013, at 0.35, Gareth Palmer <gareth at acsdata.co.nz> wrote:
>>
>>> The following patch adds support for enabling
>>> MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
>>>
>>> It makes the mysql client library check that the commonName in the
>>> server's SSL certificate matches the host name provided to
>>> mysql_real_connect() and aborts the connection if the name doesn't
>>> match.
>>
>> If someone goes through the trouble of using SSL with MySQL .. should this
>> even be optional? I guess I shouldn’t break any v2.2 installations even
>> accidentally, but for v2.3 I don’t really see any point of not having this
>> enabled unconditionally.
>
> It should be optional or it will break other running systems when the
> update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
More information about the dovecot
mailing list