Bug #12918 SSL for MyODBC
Submitted: 31 Aug 2005 20:36 Modified: 20 Jul 2007 11:21
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
Category:Connector / ODBC Severity:S4 (Feature request)
Version:3.51, 5 OS:Any (Any)
Assigned to: Bogdan Degtyariov
Tags: Contribution
Triage: D5 (Feature request)

[31 Aug 2005 20:36] [ name withheld ]
Is it possible to add SSL-Support for MyODBC, so that the data is sent encrypted over the wire, and perhaps cert-authentification?

How to repeat:
not possible, it's a feature request :)
[11 Mar 2007 3:04] Benjamin Peikes
I second this request. Looking forward to see the support added.
[15 Mar 2007 23:20] Russell Levy
Patch for Connector/ODBC 5 trunk

Attachment: ssl.patch (application/octet-stream, text), 13.82 KiB.

[26 Mar 2007 13:09] Russell Levy
SSL Patch for Connector/ODBC 3.51

Attachment: ssl-3.51.patch (application/octet-stream, text), 18.21 KiB.

[28 Mar 2007 17:50] Bogdan Degtyariov
Patch looks ok, with some additions.
1. In order to avoid linking problems there should be #ifdef HAVE_OPENSSL before mysql_ssl_set(...).
2. There is no mysql_ssl_set(...) function for SQLConnect. The patch suggests only for SQLDriverConnect
3. If FLAG_USE_MYCNF is set, but no parameters in DSN or Connection String point to .pem files, MyODBC should get these params from the [odbc] section in my.cnf file and initialize the parameters for mysql_ssl_set()
4. Current release of MyODBC GUI does not have any inputs for client-key, client-cert, ca-cert, cert-directory and ciphers parameters. So, such things should be added as well
[28 Mar 2007 18:04] Russell Levy
Hi Bogdan,
Thanks for looking over the patch. I assume most of your comments are on the 3.51 patch, as I think the v5 patch deals with with the issues mentioned becuase of the different architecture.

I don't think the #ifdef is needed, as the function mysql_ssl_set() still exists in the client library even when SSL is not compiled in; it just doesn't do anything.

SSL is not set in SQLDriverConnect because I wasn't able to figure out how to get it extra parameters. 

I'm not too familiar with the code base; the only reference to the flag I found was in connect.c; would it read any values in my.cnf?
[28 Mar 2007 18:52] Bogdan Degtyariov

thanks for your patch. Yes, my comments are about the patch for 3.51.
Accordingly to the coding style in used in the utilities (such as mysql command line client) distributed with mysql server we should use #ifdef.

You wrote the code that extracts the info about SSL params from DSN, so SQLConnect should work in the same way. It is not a problem as SQLConnect SSL stuff is easy to implement.

MyODBC can get the parameter values from my.cnf, but as I mentioned before we have to add the proper implementation for getting info about SSL options.
[28 Mar 2007 18:57] Russell Levy
Hi Bogdan,
My CLA# is CLA#39

Both patches that have been previously attached to this bug are subject to the CLA 0.3 (the version to which I agreed).

Are you going to make the changes, or should I start playing around in it again?
[28 Mar 2007 19:17] Bogdan Degtyariov

I am going to make changes in the patch for 3.51.
[6 Apr 2007 22:19] Bogdan Degtyariov
updated patch with SQLConnect and loading SSL options from my.cnf

Attachment: sslpatch.diff (application/octet-stream, text), 20.41 KiB.

[9 Apr 2007 23:35] Jim Winstead
Some comments on Bogdan's patch for v3:

* opt_ssl_verify_server_cert isn't "Not needed", it's just "Not used". If we can pass NULL to mysql_options(..., MYSQL_OPT_SSL_VERIFY_SERVER_CERT, ...), or not call it, that would be even better. (Well, best of all would be adding a way to enable this.)

* why does this patch add handling for 'uid' and 'pwd'?

* there is a comment about setting "sslcipher" to "ALL" when it is not specified, but i don't see how that is implemented.

* some of the new code has DOS end-of-lines.

* some tabs are used instead of spaces (such as in MYODBCUtil.h)

Once these issues are addressed, the patch looks okay.
[22 May 2007 14:59] Jim Winstead
Support for SSL was committed to the source repository, and will be in 3.51.16.
[20 Jul 2007 11:21] MC Brown
The entry has been noted in the changelog for 3.51.16: 

Connector/ODBC now supports using SSL for communication. This
is not yet exposed in the setup GUI, but must be enabled
through configuration files or the DSN.

The documentation for the connection paramters in http://dev.mysql.com/doc/refman/5.1/en/myodbc-configuration-connection-parameters.html has also been updated.