VladPolskiy/mariadb-connector-cpp
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-cpp.git synced 2025-07-20 16:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

ODBC-141 Certificate validation is now explicitly turned off

Browse Source 
If not selected otherwise.
The connection option `trustServerCertificate` responsible for that is
now properly documented in the README(.md) It is true by default that
means that certificate is not verified. If not set to false it now
causes also that certificate verification is explictitly turned off.
That enables connector to work without problem with C/C 3.4
This commit is contained in:
Lawrin Novitsky
2025-02-27 17:41:32 +01:00
parent 9bb717ca28
commit a36ff95ac6
4 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README
View File

@ -88,6 +88,8 @@ tlsPeerFP A SHA1 fingerprint of a server certificate for validation during the
tlsPeerFPList A file containing one or more SHA1 fingerprints of server certificates
for validation during the TLS handshake. string tlsPeerFpList, MARIADB_OPT_SSL_FP_LIST
trustServerCertificate When using TLS, do not check server's certificate(def. true) bool
serverRsaPublicKeyFile The name of the file which contains the RSA public key of the
database server. The format of this file must be in PEM format. This
option is used by the caching_sha2_password client authentication plugin string rsaKey

1
README.md
View File

@ -78,6 +78,7 @@ The list of supported options:
| **`tlsCRLPath`** |A path to a directory that contains one or more PEM files that should each contain one revoked X509 certificate. The directory specified by this option needs to be run through the openssl rehash command. This option is only supported if the connector was built with OpenSSL.|*string* ||tlsCrlPath, sslCRLPath|
| **`tlsPeerFP`** |A SHA1 fingerprint of a server certificate for validation during the TLS handshake.|*string* ||tlsPeerFp, MARIADB_OPT_SSL_FP|
| **`tlsPeerFPList`** |A file containing one or more SHA1 fingerprints of server certificates for validation during the TLS handshake.|*string* ||tlsPeerFpList, MARIADB_OPT_SSL_FP_LIST|
| **`trustServerCertificate`** |When using TLS, do not check server's certificate.|*bool* |true||
| **`serverRsaPublicKeyFile`** |The name of the file which contains the RSA public key of the database server. The format of this file must be in PEM format. This option is used by the caching_sha2_password client authentication plugin.|*string* ||rsaKey|
| **`useCompression`** |Compresses the exchange with the database|*bool* |false|CLIENT_COMPRESS|
| **`jdbcCompliantTruncation`** |Truncation error will be thrown as error, and not as warning|*bool* |true||

7
src/options/DefaultOptions.cpp
View File

@ -204,11 +204,12 @@ namespace sql
" implements javax.net.SocketFactory.",
false}},
{
"pinGlobalTxToPhysicalConnection", {"pinGlobalTxToPhysicalConnection", "0.9.1", "", false, false}},
"pinGlobalTxToPhysicalConnection", {"pinGlobalTxToPhysicalConnection", "0.9.1", "", false, false}
},
{
"trustServerCertificate", {"trustServerCertificate",
"0.9.2",
"When using SSL, do not check server's certificate.",
"1.0.5",
"When using TLS, do not check server's certificate.",
false,
true}
},

9
src/protocol/capi/ConnectProtocol.cpp
View File

@ -1,5 +1,5 @@
/************************************************************************************
Copyright (C) 2020,2023 MariaDB Corporation AB
Copyright (C) 2020,2025 MariaDB Corporation plc
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
@ -37,7 +37,7 @@ namespace mariadb
{
namespace capi
{
static const char OptionSelected= 1, OptionNotSelected= 0;
static const char OptionSelected= '\1', OptionNotSelected= '\0';
static const unsigned int uintOptionSelected= 1, uintOptionNotSelected= 0;
const char * attrPairSeparators= ",";
@ -559,7 +559,10 @@ namespace capi
//sslSocket->startHandshake();
if (!options->disableSslHostnameVerification && !options->trustServerCertificate) {
mysql_optionsv(connection.get(), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char*)&safeCApiTrue);
mysql_optionsv(connection.get(), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char*)&OptionSelected);
}
else {
mysql_optionsv(connection.get(), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char*)&OptionNotSelected);
}
assignStream(options);