Mercurial > dovecot > core-2.2
changeset 17053:7a7898ffe87f
mysql: Added ssl_verify_server_cert=no|yes parameter.
To make sure we don't break existing installations, default to "no". For
v2.3 it should default to "yes".
Patch by Gareth Palmer
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Mon, 09 Dec 2013 00:02:58 +0200 |
parents | 353c3e3edc52 |
children | feb656fd212e |
files | configure.ac doc/example-config/dovecot-sql.conf.ext src/lib-sql/driver-mysql.c |
diffstat | 3 files changed, 32 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/configure.ac Sun Dec 08 23:41:33 2013 +0200 +++ b/configure.ac Mon Dec 09 00:02:58 2013 +0200 @@ -2287,6 +2287,15 @@ mysql_set_ssl(0, 0, 0, 0, 0, 0); ], [ AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher) + + AC_TRY_COMPILE([ + $ssl_define + #include <mysql.h> + ], [ + int i = MYSQL_OPT_SSL_VERIFY_SERVER_CERT; + ], [ + AC_DEFINE(HAVE_MYSQL_SSL_VERIFY_SERVER_CERT,, Define if your MySQL library supports verifying the name in the SSL certificate) + ]) ]) ])
--- a/doc/example-config/dovecot-sql.conf.ext Sun Dec 08 23:41:33 2013 +0200 +++ b/doc/example-config/dovecot-sql.conf.ext Mon Dec 09 00:02:58 2013 +0200 @@ -47,13 +47,15 @@ # host, port, user, password, dbname # # But also adds some new settings: -# client_flags - See MySQL manual -# ssl_ca, ssl_ca_path - Set either one or both to enable SSL -# ssl_cert, ssl_key - For sending client-side certificates to server -# ssl_cipher - Set minimum allowed cipher security (default: HIGH) -# option_file - Read options from the given file instead of -# the default my.cnf location -# option_group - Read options from the given group (default: client) +# client_flags - See MySQL manual +# ssl_ca, ssl_ca_path - Set either one or both to enable SSL +# ssl_cert, ssl_key - For sending client-side certificates to server +# ssl_cipher - Set minimum allowed cipher security (default: HIGH) +# ssl_verify_server_cert - Verify that the name in the server SSL certificate +# matches the host (default: no) +# option_file - Read options from the given file instead of +# the default my.cnf location +# option_group - Read options from the given group (default: client) # # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock # Note that currently you can't use spaces in parameters.
--- a/src/lib-sql/driver-mysql.c Sun Dec 08 23:41:33 2013 +0200 +++ b/src/lib-sql/driver-mysql.c Mon Dec 09 00:02:58 2013 +0200 @@ -28,6 +28,7 @@ pool_t pool; const char *user, *password, *dbname, *host, *unix_socket; const char *ssl_cert, *ssl_key, *ssl_ca, *ssl_ca_path, *ssl_cipher; + int ssl_verify_server_cert; const char *option_file, *option_group; unsigned int port, client_flags; time_t last_success; @@ -104,6 +105,10 @@ , db->ssl_cipher #endif ); +#ifdef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT + mysql_options(db->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + &db->ssl_verify_server_cert); +#endif db->ssl_set = TRUE; #else i_fatal("mysql: SSL support not compiled in " @@ -152,6 +157,7 @@ const char **field; db->ssl_cipher = "HIGH"; + db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */ args = t_strsplit_spaces(connect_string, " "); for (; *args != NULL; args++) { @@ -187,7 +193,14 @@ field = &db->ssl_ca_path; else if (strcmp(name, "ssl_cipher") == 0) field = &db->ssl_cipher; - else if (strcmp(name, "option_file") == 0) + else if (strcmp(name, "ssl_verify_server_cert") == 0) { + if (strcmp(value, "yes") == 0) + db->ssl_verify_server_cert = 1; + else if (strcmp(value, "no") == 0) + db->ssl_verify_server_cert = 0; + else + i_fatal("mysql: Invalid boolean: %s", value); + } else if (strcmp(name, "option_file") == 0) field = &db->option_file; else if (strcmp(name, "option_group") == 0) field = &db->option_group;