On 25/02/18 17:19, Wietse Venema wrote: > olli hauer: > [ Charset ISO-8859-15 converted... ] >> >From https://dev.mysql.com/doc/refman/5.7/en/mysql-options.html >> o MYSQL_OPT_SSL_VERIFY_SERVER_CERT (argument type: my_bool *) >> This option is deprecated as of MySQL 5.7.11 and is removed in MySQL >> 8.0. >> Instead, use MYSQL_OPT_SSL_MODE with a value of >> SSL_MODE_VERIFY_IDENTITY. >> >> >> There are some issues in case postfix builds against mariadb or percona >> instead >> mysql, because both define MYSQL_VERSION_ID >= 50711 and only mariadb also >> defines MARIADB_VERSION_ID. >> >> mariadb (10.2.13): >> #define MYSQL_VERSION_ID 100212 >> #define MARIADB_VERSION_ID 100212 >> >> percona (5.7.20-18): >> #define MYSQL_VERSION_ID 50720 >> >> >> Given the listed MYSQL_VERSION_ID's the following diff should be safe. >> >> --- src/global/dict_mysql.c.orig 2017-02-19 01:58:20 UTC >> +++ src/global/dict_mysql.c >> @@ -656,7 +656,11 @@ static void plmysql_connect_single(DICT_ >> dict_mysql->tls_key_file, dict_mysql->tls_cert_file, >> dict_mysql->tls_CAfile, dict_mysql->tls_CApath, >> dict_mysql->tls_ciphers); >> -#if MYSQL_VERSION_ID >= 50023 >> +#if MYSQL_VERSION_ID >= 80000 && !defined(MARIADB_VERSION_ID) >> + if (dict_mysql->tls_verify_cert != -1) >> + mysql_options(host->db, MYSQL_OPT_SSL_MODE, >> + &dict_mysql->tls_verify_cert); >> +#elif MYSQL_VERSION_ID >= 50023 >> if (dict_mysql->tls_verify_cert != -1) >> mysql_options(host->db, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, >> &dict_mysql->tls_verify_cert); > > Couple suggestions. First. I wonder if this is complete - there are > three instances of the ``#if MYSQL_VERSION_ID >= 50023'' guard. > > Second, I prefer not to litter the code with runs of nearly duplicate > code. Instead I suggest defining a new macro: > > #if MYSQL_VERSION_ID >= 80000 && !defined(MARIADB_VERSION_ID) > #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_MODE > #elif MYSQL_VERSION_ID >= 50023 > #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_VERIFY_SERVER_CERT > #endif > > Then, use DICT_MYSQL_SSL_VERIFY_SERVER_CERT in the code instead of > the 'raw' defines from the mysql/mariadb libraries. > > #if defined(DICT_MYSQL_SSL_VERIFY_SERVER_CERT) > int tls_verify_cert; > #endif > > #if defined(DICT_MYSQL_SSL_VERIFY_SERVER_CERT) > if (dict_mysql->tls_verify_cert != -1) > mysql_options(host->db, DICT_MYSQL_SSL_VERIFY_SERVER_CERT, > &dict_mysql->tls_verify_cert); > #endif > > #if defined(DICT_MYSQL_SSL_VERIFY_SERVER_CERT) > dict_mysql->tls_verify_cert = cfg_get_bool(p, "tls_verify_cert", -1); > #endif > > But I dont have time to test this. > > Wietse
Olli if you make a new patch and it's based on latest snapshots, I can probably help do non regression tests on mariadb 5.5.56 John