From 67649f01d870037722aaee437c38a6da12c3b215 Mon Sep 17 00:00:00 2001 From: Max Lohrmann Date: Sun, 21 May 2017 04:37:40 +0200 Subject: SPMySQL will now enforce SSL connections when requested (#2499) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously we could only *request* SSL, but if the server didn’t support it, libmysqlclient would go ahead anyway. This is fixed in MySQL 5.5.55. --- .../SPMySQLFramework/Source/SPMySQLConnection.m | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'Frameworks') diff --git a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m index 4810edb4..f581c03c 100644 --- a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m +++ b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m @@ -668,7 +668,26 @@ static uint64_t _elapsedMicroSecondsSinceAbsoluteTime(uint64_t comparisonTime) theSSLCiphers = [sslCipherList UTF8String]; } + // Calling mysql_ssl_set() to libmysqlclient only means that connecting with SSL would be nice. + // If the server doesn't support SSL though, it will *silently* fall back to plaintext and in the worst case even transmit + // the password in cleartext. + // + // Setting MYSQL_OPT_SSL_MODE is required, to actually make it abort the connection if the server doesn't signal SSL support. + // + // mysql 5.5.55+ + // mysql 5.6.36+ + // mysql 5.7.11+ (5.7.3 - 5.7.10 with a different name) + // mysql 8.0+ mysql_ssl_set(theConnection, theSSLKeyFilePath, theSSLCertificatePath, theCACertificatePath, NULL, theSSLCiphers); + enum mysql_ssl_mode opt_ssl_mode = SSL_MODE_REQUIRED; + if(mysql_options(theConnection, MYSQL_OPT_SSL_MODE, (void *)&opt_ssl_mode)) { + if(isMaster) { + [self _updateLastErrorMessage:@"libmysqlclient is missing support for MYSQL_OPT_SSL_MODE"]; + [self _updateLastSqlstate:@"HY000"]; + [self _updateLastErrorID:2026]; + } + return NULL; + } } MYSQL *connectionStatus = mysql_real_connect(theConnection, theHost, theUsername, thePassword, NULL, (unsigned int)port, theSocket, [self clientFlags]); -- cgit v1.2.3