On 22.11.2013, at 9.22, Patrick Ben Koetter <[email protected]> wrote: > * Timo Sirainen <[email protected]>: >> On 22.11.2013, at 0.35, Gareth Palmer <[email protected]> wrote: >> >>> The following patch adds support for enabling >>> MYSQL_OPT_SSL_VERIFY_SERVER_CERT. >>> >>> It makes the mysql client library check that the commonName in the >>> server's SSL certificate matches the host name provided to >>> mysql_real_connect() and aborts the connection if the name doesn't >>> match. >> >> If someone goes through the trouble of using SSL with MySQL .. should this >> even be optional? I guess I shouldn’t break any v2.2 installations even >> accidentally, but for v2.3 I don’t really see any point of not having this >> enabled unconditionally. > > It should be optional or it will break other running systems when the > update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
