Timo,
Were there any further changes you wanted made to the patch?
It now defaults to having ssl_verify_server_cert enabled.
On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
> On 22.11.2013, at 9.22, Patrick Ben Koetter <[email protected]> wrote:
>
> > * Timo Sirainen <[email protected]>:
> >> On 22.11.2013, at 0.35, Gareth Palmer <[email protected]> wrote:
> >>
> >>> The following patch adds support for enabling
> >>> MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
> >>>
> >>> It makes the mysql client library check that the commonName in the
> >>> server's SSL certificate matches the host name provided to
> >>> mysql_real_connect() and aborts the connection if the name doesn't
> >>> match.
> >>
> >> If someone goes through the trouble of using SSL with MySQL .. should this
> >> even be optional? I guess I shouldn’t break any v2.2 installations even
> >> accidentally, but for v2.3 I don’t really see any point of not having this
> >> enabled unconditionally.
> >
> > It should be optional or it will break other running systems when the
> > update/upgrade.
>
> But perhaps it should break (in v2.3.0)? Otherwise it’s not really running
> securely anyway. At least the default should be to verify the cert.
diff -urN dovecot-20131120.orig/config.h.in dovecot-20131120/config.h.in
--- dovecot-20131120.orig/config.h.in 2013-11-25 10:32:38.182706916 +1300
+++ dovecot-20131120/config.h.in 2013-11-25 10:33:50.689323470 +1300
@@ -251,6 +251,10 @@
/* Define if your MySQL library supports setting cipher */
#undef HAVE_MYSQL_SSL_CIPHER
+/* Define if your MySQL library supports verifying the name in the SSL
+ certificate */
+#undef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT
+
/* Define if you don't have C99 compatible vsnprintf() call */
#undef HAVE_OLD_VSNPRINTF
diff -urN dovecot-20131120.orig/configure.ac dovecot-20131120/configure.ac
--- dovecot-20131120.orig/configure.ac 2013-11-25 10:32:38.262705729 +1300
+++ dovecot-20131120/configure.ac 2013-11-25 10:33:50.689323470 +1300
@@ -2282,6 +2282,15 @@
mysql_set_ssl(0, 0, 0, 0, 0, 0);
], [
AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher)
+
+ AC_TRY_COMPILE([
+ $ssl_define
+ #include <mysql.h>
+ ], [
+ int i = MYSQL_OPT_SSL_VERIFY_SERVER_CERT;
+ ], [
+ AC_DEFINE(HAVE_MYSQL_SSL_VERIFY_SERVER_CERT,, Define if your MySQL library supports verifying the name in the SSL certificate)
+ ])
])
])
diff -urN dovecot-20131120.orig/doc/example-config/dovecot-sql.conf.ext dovecot-20131120/doc/example-config/dovecot-sql.conf.ext
--- dovecot-20131120.orig/doc/example-config/dovecot-sql.conf.ext 2013-11-25 10:32:38.266705653 +1300
+++ dovecot-20131120/doc/example-config/dovecot-sql.conf.ext 2013-11-25 10:34:05.037049830 +1300
@@ -47,13 +47,15 @@
# host, port, user, password, dbname
#
# But also adds some new settings:
-# client_flags - See MySQL manual
-# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-# ssl_cert, ssl_key - For sending client-side certificates to server
-# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
-# option_file - Read options from the given file instead of
-# the default my.cnf location
-# option_group - Read options from the given group (default: client)
+# client_flags - See MySQL manual
+# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
+# ssl_cert, ssl_key - For sending client-side certificates to server
+# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
+# ssl_verify_server_cert - Verify that the name in the server SSL certificate
+# matches the host (default: yes)
+# option_file - Read options from the given file instead of
+# the default my.cnf location
+# option_group - Read options from the given group (default: client)
#
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
# Note that currently you can't use spaces in parameters.
diff -urN dovecot-20131120.orig/src/lib-sql/driver-mysql.c dovecot-20131120/src/lib-sql/driver-mysql.c
--- dovecot-20131120.orig/src/lib-sql/driver-mysql.c 2013-11-25 10:32:38.190706907 +1300
+++ dovecot-20131120/src/lib-sql/driver-mysql.c 2013-11-25 10:34:28.584598986 +1300
@@ -28,6 +28,7 @@
pool_t pool;
const char *user, *password, *dbname, *host, *unix_socket;
const char *ssl_cert, *ssl_key, *ssl_ca, *ssl_ca_path, *ssl_cipher;
+ int ssl_verify_server_cert;
const char *option_file, *option_group;
unsigned int port, client_flags;
time_t last_success;
@@ -104,6 +105,10 @@
, db->ssl_cipher
#endif
);
+#ifdef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT
+ mysql_options(db->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+ &db->ssl_verify_server_cert);
+#endif
db->ssl_set = TRUE;
#else
i_fatal("mysql: SSL support not compiled in "
@@ -152,6 +157,7 @@
const char **field;
db->ssl_cipher = "HIGH";
+ db->ssl_verify_server_cert = TRUE;
args = t_strsplit_spaces(connect_string, " ");
for (; *args != NULL; args++) {
@@ -187,7 +193,14 @@
field = &db->ssl_ca_path;
else if (strcmp(name, "ssl_cipher") == 0)
field = &db->ssl_cipher;
- else if (strcmp(name, "option_file") == 0)
+ else if (strcmp(name, "ssl_verify_server_cert") == 0) {
+ if (strcmp(value, "yes") == 0)
+ db->ssl_verify_server_cert = TRUE;
+ else if (strcmp(value, "no") == 0)
+ db->ssl_verify_server_cert = FALSE;
+ else
+ i_fatal("mysql: Invalid boolean: %s", value);
+ } else if (strcmp(name, "option_file") == 0)
field = &db->option_file;
else if (strcmp(name, "option_group") == 0)
field = &db->option_group;
