From d599fe2613f4beca6219083014a995aeb5ebc827 Mon Sep 17 00:00:00 2001
From: Arthur Gautier <baloo@gandi.net>
Date: Thu, 10 Mar 2016 23:38:30 +0000
Subject: [PATCH] vio: Handling of cerficate chains

While using pki and client certificates, clients fails to validate the
server's certificate and server fails to validate client certifiate.

PKI may look like this:
             +---------+
             | Root CA |
             +---------+
                  |
          /-------+---------\
          |                 |
     +----------+     +-----------+
     | MySQL CA |     | Client CA |
     +----------+     +-----------+
           |                |
    +-------------+  +-------------+
    |   Server    |  |   Client    |
    | certificate |  | certificate |
    +-------------+  +-------------+

my.cnf:
```
[mysqld]
ssl
ssl_ca=(clientca.crt rootca.crt)
ssl_cert=(server.crt mysqlca.crt)
ssl_key=(server.key)
[mysql]
ssl
ssl_ca=(rootca.crt)
ssl_cert=(clientcertificate.crt clientca.crt)
ssl_key=(client.key)
ssl-verify-server-cert=1
```

mysqld will now send the full chain allowing a client to validate the
servers certificate.
mysql will now send the full chain allowing a server to validate the
client certificate.

Fixup: 677fd7c51263b
Signed-off-by: Arthur Gautier <baloo@gandi.net>
---
 vio/viosslfactories.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index d10e222fd135..12b9d92d2ff0 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -191,7 +191,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
     key_file= cert_file;
 
   if (cert_file &&
-      SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+      SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
   {
     *error= SSL_INITERR_CERT;
     DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
-- 
2.7.0