aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMax Lohrmann <dmoagx@users.noreply.github.com>2017-05-21 04:37:40 +0200
committerMax Lohrmann <dmoagx@users.noreply.github.com>2017-05-21 04:37:40 +0200
commit67649f01d870037722aaee437c38a6da12c3b215 (patch)
treef803e00cd637dd1da41668f01483e5d690db70fe
parent69509f9169f309486ccf4d633c1566d569aae860 (diff)
downloadsequelpro-67649f01d870037722aaee437c38a6da12c3b215.tar.gz
sequelpro-67649f01d870037722aaee437c38a6da12c3b215.tar.bz2
sequelpro-67649f01d870037722aaee437c38a6da12c3b215.zip
SPMySQL will now enforce SSL connections when requested (#2499)
Previously we could only *request* SSL, but if the server didn’t support it, libmysqlclient would go ahead anyway. This is fixed in MySQL 5.5.55.
-rw-r--r--Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m19
1 files changed, 19 insertions, 0 deletions
diff --git a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m
index 4810edb4..f581c03c 100644
--- a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m
+++ b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m
@@ -668,7 +668,26 @@ static uint64_t _elapsedMicroSecondsSinceAbsoluteTime(uint64_t comparisonTime)
theSSLCiphers = [sslCipherList UTF8String];
}
+ // Calling mysql_ssl_set() to libmysqlclient only means that connecting with SSL would be nice.
+ // If the server doesn't support SSL though, it will *silently* fall back to plaintext and in the worst case even transmit
+ // the password in cleartext.
+ //
+ // Setting MYSQL_OPT_SSL_MODE is required, to actually make it abort the connection if the server doesn't signal SSL support.
+ //
+ // mysql 5.5.55+
+ // mysql 5.6.36+
+ // mysql 5.7.11+ (5.7.3 - 5.7.10 with a different name)
+ // mysql 8.0+
mysql_ssl_set(theConnection, theSSLKeyFilePath, theSSLCertificatePath, theCACertificatePath, NULL, theSSLCiphers);
+ enum mysql_ssl_mode opt_ssl_mode = SSL_MODE_REQUIRED;
+ if(mysql_options(theConnection, MYSQL_OPT_SSL_MODE, (void *)&opt_ssl_mode)) {
+ if(isMaster) {
+ [self _updateLastErrorMessage:@"libmysqlclient is missing support for MYSQL_OPT_SSL_MODE"];
+ [self _updateLastSqlstate:@"HY000"];
+ [self _updateLastErrorID:2026];
+ }
+ return NULL;
+ }
}
MYSQL *connectionStatus = mysql_real_connect(theConnection, theHost, theUsername, thePassword, NULL, (unsigned int)port, theSocket, [self clientFlags]);