-
Georgi Kodinov authored
Added support for --ssl-crl and --ssl-crlpath to all client and server binaries that work with OpenSSL. You can specify none, one or both of the above. --ssl-crl takes a file path for a PEM encoded Certificate revocation lists. The relevant file is parsed and loaded into the X509 store of the SSL context. --ssl-crlpath takes a directory path. This directory must contain PEM encoded CRL (or other) files that are named by their hash value, .e.g. <hash_value>.r[0-9] See OpenSSL's X509_STORE_load_locations() for more details of the above. Note that if none of the --ssl-crl* options is specified no CRL checks will be performed, even if the -capath contains certificate revocation lists. Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command. Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info system table. Reengineered mysql_ssl_set() in the C API into a number of mysql_options calls as follows (while keeping mysql_ssl_set()): mysql_ssl_set(mysql, key, cert, ca, capath, cipher) { mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) } Added two new mysql_options that correspond to the command line calls : MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH. Made sure these play nicely with the ABI by using the extension. Added tests and a set of cryptographic keys and crls to test the new options. Extended the mtr ssl check to find the new tests. Made sure that on yaSSL these options are a no-op for the server.Georgi Kodinov authoredAdded support for --ssl-crl and --ssl-crlpath to all client and server binaries that work with OpenSSL. You can specify none, one or both of the above. --ssl-crl takes a file path for a PEM encoded Certificate revocation lists. The relevant file is parsed and loaded into the X509 store of the SSL context. --ssl-crlpath takes a directory path. This directory must contain PEM encoded CRL (or other) files that are named by their hash value, .e.g. <hash_value>.r[0-9] See OpenSSL's X509_STORE_load_locations() for more details of the above. Note that if none of the --ssl-crl* options is specified no CRL checks will be performed, even if the -capath contains certificate revocation lists. Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command. Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info system table. Reengineered mysql_ssl_set() in the C API into a number of mysql_options calls as follows (while keeping mysql_ssl_set()): mysql_ssl_set(mysql, key, cert, ca, capath, cipher) { mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) } Added two new mysql_options that correspond to the command line calls : MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH. Made sure these play nicely with the ABI by using the extension. Added tests and a set of cryptographic keys and crls to test the new options. Extended the mtr ssl check to find the new tests. Made sure that on yaSSL these options are a no-op for the server.
Loading