Allow setting VERIFY_IDENTITY for MariaDB #1205
Conversation
|
I don't think the failures in CI here are related to the changes I've made. |
|
@sodabrew Are you willing to also release a new version once this fix is merged together with the other improvements around MariaDB handling that already have landed? |
This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see mysql/mysql-server#358 & https://bugs.mysql.com/bug.php?id=104649.
This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see mysql/mysql-server#358 & https://bugs.mysql.com/bug.php?id=104649.
This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see mysql/mysql-server#358 & https://bugs.mysql.com/bug.php?id=104649.
This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see mysql/mysql-server#358 & https://bugs.mysql.com/bug.php?id=104649.
There was a problem hiding this comment.
This looks excellent. Thank you for taking the time to carefully work these out. I have just one comment about modifying a comment - it wasn't clear to be if MariaDB will be taking the ifdef code path that is also used for MySQL 5.7.3 - 5.7.10.
I think long-term that supporting the brief set of versions MySQL 5.7.3 - 5.7.10 should just be dropped. Unless that same pattern is actually what MariaDB needs long-term, in which case I'd like to get the comments right to guide future-us correctly when it's deprecation time!
ext/mysql2/client.c
Outdated
| @@ -1676,10 +1689,15 @@ void init_mysql2_client() { | |||
| rb_const_set(cMysql2Client, rb_intern("SSL_MODE_REQUIRED"), INT2NUM(SSL_MODE_REQUIRED)); | |||
| rb_const_set(cMysql2Client, rb_intern("SSL_MODE_VERIFY_CA"), INT2NUM(SSL_MODE_VERIFY_CA)); | |||
| rb_const_set(cMysql2Client, rb_intern("SSL_MODE_VERIFY_IDENTITY"), INT2NUM(SSL_MODE_VERIFY_IDENTITY)); | |||
| #elif defined(HAVE_CONST_MYSQL_OPT_SSL_ENFORCE) // MySQL 5.7.3 - 5.7.10 | |||
| #else | |||
| #ifdef HAVE_CONST_MYSQL_OPT_SSL_VERIFY_SERVER_CERT // MySQL 5.7.3 - 5.7.10 | |||
There was a problem hiding this comment.
and MariaDB xx .. [yy? and above?]
It is what MariaDB needs long-term, they are still using those options for the latest versions so I don't think they can be removed / deprecated unless MariaDB compatibility is explicitly dropped. I'll update the comments accordingly as well. |
This adds support for setting the VERIFY_IDENTITY mode with MariaDB. On MariaDB, the `MYSQL_OPT_SSL_VERIFY_SERVER_CERT` option is available which is equivalent to `VERIFY_IDENTITY`. Many containers with Ruby apps are based on Debian where MariaDB is the standard provided, so this improves support there significantly.
Also removed the check for a potential MariaDB 11.x since there's no indication that this behavior will change in MariaDB.
dbussink
force-pushed
the
ssl-mode-verify-identity-mariadb
branch
from
17afcce to
bcad0e0
Compare
| GET_CLIENT(self); | ||
| int val = NUM2INT( setting ); | ||
| // Either MySQL 5.7.3 - 5.7.10, or Connector/C 6.1.3 - 6.1.x, or MariaDB 10.x | ||
| if ((version >= 50703 && version < 50711) || (version >= 60103 && version < 60200) || (version >= 100000 && version < 110000)) { |
There was a problem hiding this comment.
I have updated the comments and also dropped the < 110000 here since there's no indication that MariaDB will change here for any future version (there's no 11.0 yet though, but I think it would likely break if they'd release such a version).
|
@sodabrew Alright, updated things here. I was on vacation for a bit so only came back to it now 😄. |
This adds support for setting the VERIFY_IDENTITY mode with MariaDB. On MariaDB, the
MYSQL_OPT_SSL_VERIFY_SERVER_CERToption is available which is equivalent toVERIFY_IDENTITY.Many containers with Ruby apps are based on Debian where MariaDB is the standard provided, so this improves support there significantly.