dovecot-2.2: mysql: Added ssl_verify_server_cert=no|yes parameter.

Mon Dec 9 00:03:07 EET 2013

details:   http://hg.dovecot.org/dovecot-2.2/rev/7a7898ffe87f
changeset: 17053:7a7898ffe87f
user:      Timo Sirainen <tss at iki.fi>
date:      Mon Dec 09 00:02:58 2013 +0200
description:
mysql: Added ssl_verify_server_cert=no|yes parameter.
To make sure we don't break existing installations, default to "no". For
v2.3 it should default to "yes".

Patch by Gareth Palmer

diffstat:

 configure.ac                            |   9 +++++++++
 doc/example-config/dovecot-sql.conf.ext |  16 +++++++++-------
 src/lib-sql/driver-mysql.c              |  15 ++++++++++++++-
 3 files changed, 32 insertions(+), 8 deletions(-)

diffs (91 lines):

diff -r 353c3e3edc52 -r 7a7898ffe87f configure.ac

--- a/configure.ac	Sun Dec 08 23:41:33 2013 +0200
+++ b/configure.ac	Mon Dec 09 00:02:58 2013 +0200
@@ -2287,6 +2287,15 @@
 				  mysql_set_ssl(0, 0, 0, 0, 0, 0);
 				], [
 					AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher)
+
+					AC_TRY_COMPILE([
+					  $ssl_define
+					  #include <mysql.h>
+					], [
+					  int i = MYSQL_OPT_SSL_VERIFY_SERVER_CERT;
+					], [
+						AC_DEFINE(HAVE_MYSQL_SSL_VERIFY_SERVER_CERT,, Define if your MySQL library supports verifying the name in the SSL certificate)
+					])
 				])
 			])
 			
diff -r 353c3e3edc52 -r 7a7898ffe87f doc/example-config/dovecot-sql.conf.ext
--- a/doc/example-config/dovecot-sql.conf.ext	Sun Dec 08 23:41:33 2013 +0200
+++ b/doc/example-config/dovecot-sql.conf.ext	Mon Dec 09 00:02:58 2013 +0200
@@ -47,13 +47,15 @@
 #     host, port, user, password, dbname
 #
 #   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-#     option_file         - Read options from the given file instead of
-#                           the default my.cnf location
-#     option_group        - Read options from the given group (default: client)
+#     client_flags           - See MySQL manual
+#     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
+#     ssl_cert, ssl_key      - For sending client-side certificates to server
+#     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
+#     ssl_verify_server_cert - Verify that the name in the server SSL certificate
+#                              matches the host (default: no)
+#     option_file            - Read options from the given file instead of
+#                              the default my.cnf location
+#     option_group           - Read options from the given group (default: client)
 # 
 #   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
 #   Note that currently you can't use spaces in parameters.
diff -r 353c3e3edc52 -r 7a7898ffe87f src/lib-sql/driver-mysql.c
--- a/src/lib-sql/driver-mysql.c	Sun Dec 08 23:41:33 2013 +0200
+++ b/src/lib-sql/driver-mysql.c	Mon Dec 09 00:02:58 2013 +0200
@@ -28,6 +28,7 @@
 	pool_t pool;
 	const char *user, *password, *dbname, *host, *unix_socket;
 	const char *ssl_cert, *ssl_key, *ssl_ca, *ssl_ca_path, *ssl_cipher;
+	int ssl_verify_server_cert;
 	const char *option_file, *option_group;
 	unsigned int port, client_flags;
 	time_t last_success;
@@ -104,6 +105,10 @@
 			      , db->ssl_cipher
 #endif
 			     );
+#ifdef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT
+		mysql_options(db->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+			      &db->ssl_verify_server_cert);
+#endif
 		db->ssl_set = TRUE;
 #else
 		i_fatal("mysql: SSL support not compiled in "
@@ -152,6 +157,7 @@
 	const char **field;
 
 	db->ssl_cipher = "HIGH";
+	db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */
 
 	args = t_strsplit_spaces(connect_string, " ");
 	for (; *args != NULL; args++) {
@@ -187,7 +193,14 @@
 			field = &db->ssl_ca_path;
 		else if (strcmp(name, "ssl_cipher") == 0)
 			field = &db->ssl_cipher;
-		else if (strcmp(name, "option_file") == 0)
+		else if (strcmp(name, "ssl_verify_server_cert") == 0) {
+			if (strcmp(value, "yes") == 0)
+				db->ssl_verify_server_cert = 1;
+			else if (strcmp(value, "no") == 0)
+				db->ssl_verify_server_cert = 0;
+			else
+				i_fatal("mysql: Invalid boolean: %s", value);
+		} else if (strcmp(name, "option_file") == 0)
 			field = &db->option_file;
 		else if (strcmp(name, "option_group") == 0)
 			field = &db->option_group;
