diff -rc mysql-5.1.40/Docs/mysql.info mysql-5.1.40-ssl-crl-support/Docs/mysql.info *** mysql-5.1.40/Docs/mysql.info 2009-10-06 13:55:47.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/Docs/mysql.info 2009-10-30 23:50:08.000000000 -0400 *************** *** 87493,87498 **** --- 87493,87499 ---- Master_SSL_Allowed: No Master_SSL_CA_File: Master_SSL_CA_Path: + Master_SSL_CRL: Master_SSL_Cert: Master_SSL_Cipher: Master_SSL_Key: *************** *** 87692,87698 **** stops executing. * `Master_SSL_Allowed', `Master_SSL_CA_File', `Master_SSL_CA_Path', ! `Master_SSL_Cert', `Master_SSL_Cipher', `Master_SSL_Key' These fields show the SSL parameters used by the slave to connect to the master, if any. --- 87693,87699 ---- stops executing. * `Master_SSL_Allowed', `Master_SSL_CA_File', `Master_SSL_CA_Path', ! `Master_SSL_Cert', `Master_SSL_Cipher', `Master_SSL_Key', `Master_SSL_CRL' These fields show the SSL parameters used by the slave to connect to the master, if any. *************** *** 87708,87715 **** The values of the other SSL-related fields correspond to the values of the `MASTER_SSL_CA', `MASTER_SSL_CAPATH', ! `MASTER_SSL_CERT', `MASTER_SSL_CIPHER', `MASTER_SSL_KEY', and ! `MASTER_SSL_VERIFY_SERVER_CERT' options to the *Note `CHANGE MASTER TO': change-master-to. statement. See *Note change-master-to::. `MASTER_SSL_VERIFY_SERVER_CERT' was added in MySQL 5.1.18. --- 87709,87716 ---- The values of the other SSL-related fields correspond to the values of the `MASTER_SSL_CA', `MASTER_SSL_CAPATH', ! `MASTER_SSL_CERT', `MASTER_SSL_CIPHER', `MASTER_SSL_KEY',`MASTER_SSL_CRL' ! and `MASTER_SSL_VERIFY_SERVER_CERT' options to the *Note `CHANGE MASTER TO': change-master-to. statement. See *Note change-master-to::. `MASTER_SSL_VERIFY_SERVER_CERT' was added in MySQL 5.1.18. *************** *** 89045,89050 **** --- 89046,89052 ---- | MASTER_SSL_CA = 'CA_FILE_NAME' | MASTER_SSL_CAPATH = 'CA_DIRECTORY_NAME' | MASTER_SSL_CERT = 'CERT_FILE_NAME' + | MASTER_SSL_CRL = 'CRL_FILE_NAME' | MASTER_SSL_KEY = 'KEY_FILE_NAME' | MASTER_SSL_CIPHER = 'CIPHER_LIST' | MASTER_SSL_VERIFY_SERVER_CERT = {0|1} *************** *** 89055,89061 **** `relay-log.info' files. `MASTER_USER', `MASTER_PASSWORD', `MASTER_SSL', `MASTER_SSL_CA', ! `MASTER_SSL_CAPATH', `MASTER_SSL_CERT', `MASTER_SSL_KEY', `MASTER_SSL_CIPHER', and `MASTER_SSL_VERIFY_SERVER_CERT' provide information to the slave about how to connect to its master. `MASTER_SSL_VERIFY_SERVER_CERT' was added in MySQL 5.1.18. It is used --- 89057,89063 ---- `relay-log.info' files. `MASTER_USER', `MASTER_PASSWORD', `MASTER_SSL', `MASTER_SSL_CA', ! `MASTER_SSL_CAPATH', `MASTER_SSL_CERT', `MASTER_SSL_KEY', `MASTER_SSL_CRL' `MASTER_SSL_CIPHER', and `MASTER_SSL_VERIFY_SERVER_CERT' provide information to the slave about how to connect to its master. `MASTER_SSL_VERIFY_SERVER_CERT' was added in MySQL 5.1.18. It is used *************** *** 89068,89077 **** more information, see *Note replication-options::. The SSL options (`MASTER_SSL', `MASTER_SSL_CA', `MASTER_SSL_CAPATH', ! `MASTER_SSL_CERT', `MASTER_SSL_KEY', `MASTER_SSL_CIPHER'), and ! `MASTER_SSL_VERIFY_SERVER_CERT' can be changed even on slaves that are ! compiled without SSL support. They are saved to the `master.info' file, ! but are ignored unless you use a server that has SSL support enabled. If you do not specify a given parameter, it keeps its old value, except as indicated in the following discussion. For example, if the password --- 89070,89080 ---- more information, see *Note replication-options::. The SSL options (`MASTER_SSL', `MASTER_SSL_CA', `MASTER_SSL_CAPATH', ! `MASTER_SSL_CERT', `MASTER_SSL_KEY', `MASTER_SSL_CRL', ! `MASTER_SSL_CIPHER'), and `MASTER_SSL_VERIFY_SERVER_CERT' can be ! changed even on slaves that are compiled without SSL support. They are ! saved to the `master.info' file, but are ignored unless you use a ! server that has SSL support enabled. If you do not specify a given parameter, it keeps its old value, except as indicated in the following discussion. For example, if the password *************** *** 124137,124142 **** --- 124140,124146 ---- Master_SSL_CA_File: Master_SSL_CA_Path: Master_SSL_Cert: + Master_SSL_CRL: Master_SSL_Cipher: Master_SSL_Key: Seconds_Behind_Master: 0 *************** *** 125079,125084 **** --- 125083,125089 ---- MASTER_SSL=1, \ MASTER_SSL_CA = 'ca_file_name', \ MASTER_SSL_CAPATH = 'ca_directory_name', \ + MASTER_SSL_CRL = 'crl_file_name', \ MASTER_SSL_CERT = 'cert_file_name', \ MASTER_SSL_KEY = 'key_file_name'; *************** *** 127467,127476 **** Authority (CA) certificates. 12 `Master_SSL_Cert' The name of the SSL certificate file. ! 13 `Master_SSL_Cipher' The name of the cipher in use for the SSL connection. ! 14 `Master_SSL_Key' The name of the SSL key file. ! 15 `Master_SSL_Verify_Server_Cert'Whether to verify the server certificate. `Master_SSL_Verify_Server_Cert' is present in `master.info' as of MySQL --- 127472,127482 ---- Authority (CA) certificates. 12 `Master_SSL_Cert' The name of the SSL certificate file. ! 13 `Master_SSL_CRL' The name of the SSL CRL file. ! 14 `Master_SSL_Cipher' The name of the cipher in use for the SSL connection. ! 15 `Master_SSL_Key' The name of the SSL key file. ! 16 `Master_SSL_Verify_Server_Cert'Whether to verify the server certificate. `Master_SSL_Verify_Server_Cert' is present in `master.info' as of MySQL diff -rc mysql-5.1.40/client/client_priv.h mysql-5.1.40-ssl-crl-support/client/client_priv.h *** mysql-5.1.40/client/client_priv.h 2009-10-06 13:46:14.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/client_priv.h 2009-11-02 08:32:50.000000000 -0500 *************** *** 42,48 **** OPT_LINE_NUMBERS, OPT_COLUMN_NAMES, OPT_CONNECT_TIMEOUT, OPT_MAX_ALLOWED_PACKET, OPT_NET_BUFFER_LENGTH, OPT_SELECT_LIMIT, OPT_MAX_JOIN_SIZE, OPT_SSL_SSL, ! OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH, OPT_SSL_CIPHER, OPT_SHUTDOWN_TIMEOUT, OPT_LOCAL_INFILE, OPT_DELETE_MASTER_LOGS, OPT_COMPACT, OPT_PROMPT, OPT_IGN_LINES,OPT_TRANSACTION,OPT_MYSQL_PROTOCOL, --- 42,48 ---- OPT_LINE_NUMBERS, OPT_COLUMN_NAMES, OPT_CONNECT_TIMEOUT, OPT_MAX_ALLOWED_PACKET, OPT_NET_BUFFER_LENGTH, OPT_SELECT_LIMIT, OPT_MAX_JOIN_SIZE, OPT_SSL_SSL, ! OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH, OPT_SSL_CRL, OPT_SSL_CIPHER, OPT_SHUTDOWN_TIMEOUT, OPT_LOCAL_INFILE, OPT_DELETE_MASTER_LOGS, OPT_COMPACT, OPT_PROMPT, OPT_IGN_LINES,OPT_TRANSACTION,OPT_MYSQL_PROTOCOL, diff -rc mysql-5.1.40/client/mysql.cc mysql-5.1.40-ssl-crl-support/client/mysql.cc *** mysql-5.1.40/client/mysql.cc 2009-10-06 13:46:16.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysql.cc 2009-10-30 23:46:28.000000000 -0400 *************** *** 543,548 **** --- 543,549 ---- { "MASTER_SSL_CA", 0, 0, 0, ""}, { "MASTER_SSL_CAPATH", 0, 0, 0, ""}, { "MASTER_SSL_CERT", 0, 0, 0, ""}, + { "MASTER_SSL_CRL", 0, 0, 0, ""}, { "MASTER_SSL_CIPHER", 0, 0, 0, ""}, { "MASTER_SSL_KEY", 0, 0, 0, ""}, { "MASTER_USER", 0, 0, 0, ""}, *************** *** 4217,4224 **** mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile); #ifdef HAVE_OPENSSL if (opt_use_ssl) ! mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif --- 4218,4225 ---- mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile); #ifdef HAVE_OPENSSL if (opt_use_ssl) ! mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif diff -rc mysql-5.1.40/client/mysqladmin.cc mysql-5.1.40-ssl-crl-support/client/mysqladmin.cc *** mysql-5.1.40/client/mysqladmin.cc 2009-10-06 13:46:17.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqladmin.cc 2009-10-30 23:20:44.000000000 -0400 *************** *** 338,344 **** #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif --- 338,344 ---- #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif diff -rc mysql-5.1.40/client/mysqlcheck.c mysql-5.1.40-ssl-crl-support/client/mysqlcheck.c *** mysql-5.1.40/client/mysqlcheck.c 2009-10-06 13:46:18.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqlcheck.c 2009-10-30 23:20:54.000000000 -0400 *************** *** 790,796 **** #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); --- 790,796 ---- #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff -rc mysql-5.1.40/client/mysqldump.c mysql-5.1.40-ssl-crl-support/client/mysqldump.c *** mysql-5.1.40/client/mysqldump.c 2009-10-06 13:46:18.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqldump.c 2009-10-30 23:21:21.000000000 -0400 *************** *** 1460,1466 **** #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif --- 1460,1466 ---- #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif diff -rc mysql-5.1.40/client/mysqlimport.c mysql-5.1.40-ssl-crl-support/client/mysqlimport.c *** mysql-5.1.40/client/mysqlimport.c 2009-10-06 13:46:18.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqlimport.c 2009-10-30 23:21:28.000000000 -0400 *************** *** 430,436 **** #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif --- 430,436 ---- #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif diff -rc mysql-5.1.40/client/mysqlshow.c mysql-5.1.40-ssl-crl-support/client/mysqlshow.c *** mysql-5.1.40/client/mysqlshow.c 2009-10-06 13:46:18.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqlshow.c 2009-10-30 23:21:43.000000000 -0400 *************** *** 109,115 **** #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif --- 109,115 ---- #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif diff -rc mysql-5.1.40/client/mysqlslap.c mysql-5.1.40-ssl-crl-support/client/mysqlslap.c *** mysql-5.1.40/client/mysqlslap.c 2009-10-06 13:46:19.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqlslap.c 2009-10-30 23:21:48.000000000 -0400 *************** *** 328,334 **** #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); --- 328,334 ---- #ifdef HAVE_OPENSSL if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff -rc mysql-5.1.40/client/mysqltest.cc mysql-5.1.40-ssl-crl-support/client/mysqltest.cc *** mysql-5.1.40/client/mysqltest.cc 2009-10-06 13:46:19.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/client/mysqltest.cc 2009-11-02 08:35:55.000000000 -0500 *************** *** 5016,5022 **** if (opt_use_ssl || con_ssl) { mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); #if MYSQL_VERSION_ID >= 50000 /* Turn on ssl_verify_server_cert only if host is "localhost" */ opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost"); --- 5016,5022 ---- if (opt_use_ssl || con_ssl) { mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); #if MYSQL_VERSION_ID >= 50000 /* Turn on ssl_verify_server_cert only if host is "localhost" */ opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost"); *************** *** 7664,7670 **** if (opt_use_ssl) { mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_cipher); #if MYSQL_VERSION_ID >= 50000 /* Turn on ssl_verify_server_cert only if host is "localhost" */ opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost"); --- 7664,7670 ---- if (opt_use_ssl) { mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, ! opt_ssl_capath, opt_ssl_crl, opt_ssl_cipher); #if MYSQL_VERSION_ID >= 50000 /* Turn on ssl_verify_server_cert only if host is "localhost" */ opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost"); diff -rc mysql-5.1.40/include/mysql.h mysql-5.1.40-ssl-crl-support/include/mysql.h *** mysql-5.1.40/include/mysql.h 2009-10-06 13:46:50.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/include/mysql.h 2009-11-02 08:14:06.000000000 -0500 *************** *** 181,186 **** --- 181,187 ---- char *ssl_cert; /* PEM cert file */ char *ssl_ca; /* PEM CA file */ char *ssl_capath; /* PEM directory of CA-s? */ + char *ssl_crl; /* PEM CRL file */ char *ssl_cipher; /* cipher to use */ char *shared_memory_base_name; unsigned long max_allowed_packet; *************** *** 432,438 **** MYSQL * STDCALL mysql_init(MYSQL *mysql); my_bool STDCALL mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, ! const char *capath, const char *cipher); const char * STDCALL mysql_get_ssl_cipher(MYSQL *mysql); my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user, const char *passwd, const char *db); --- 433,440 ---- MYSQL * STDCALL mysql_init(MYSQL *mysql); my_bool STDCALL mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, ! const char *capath, const char *crl, ! const char *cipher); const char * STDCALL mysql_get_ssl_cipher(MYSQL *mysql); my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user, const char *passwd, const char *db); diff -rc mysql-5.1.40/include/mysql.h.pp mysql-5.1.40-ssl-crl-support/include/mysql.h.pp *** mysql-5.1.40/include/mysql.h.pp 2009-10-06 13:46:50.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/include/mysql.h.pp 2009-11-02 08:20:52.000000000 -0500 *************** *** 272,277 **** --- 272,278 ---- char *ssl_cert; char *ssl_ca; char *ssl_capath; + char *ssl_crl; char *ssl_cipher; char *shared_memory_base_name; unsigned long max_allowed_packet; *************** *** 418,424 **** MYSQL * mysql_init(MYSQL *mysql); my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, ! const char *capath, const char *cipher); const char * mysql_get_ssl_cipher(MYSQL *mysql); my_bool mysql_change_user(MYSQL *mysql, const char *user, const char *passwd, const char *db); --- 419,426 ---- MYSQL * mysql_init(MYSQL *mysql); my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, ! const char *capath, const char *crl, ! const char *cipher); const char * mysql_get_ssl_cipher(MYSQL *mysql); my_bool mysql_change_user(MYSQL *mysql, const char *user, const char *passwd, const char *db); diff -rc mysql-5.1.40/include/sslopt-case.h mysql-5.1.40-ssl-crl-support/include/sslopt-case.h *** mysql-5.1.40/include/sslopt-case.h 2009-10-06 13:46:50.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/include/sslopt-case.h 2009-10-30 23:50:25.000000000 -0400 *************** *** 18,23 **** --- 18,24 ---- case OPT_SSL_CERT: case OPT_SSL_CA: case OPT_SSL_CAPATH: + case OPT_SSL_CRL: case OPT_SSL_CIPHER: /* Enable use of SSL if we are using any ssl option diff -rc mysql-5.1.40/include/sslopt-longopts.h mysql-5.1.40-ssl-crl-support/include/sslopt-longopts.h *** mysql-5.1.40/include/sslopt-longopts.h 2009-10-06 13:46:51.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/include/sslopt-longopts.h 2009-10-30 23:24:01.000000000 -0400 *************** *** 30,35 **** --- 30,38 ---- {"ssl-cert", OPT_SSL_CERT, "X509 cert in PEM format (implies --ssl).", (uchar **) &opt_ssl_cert, (uchar **) &opt_ssl_cert, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, + {"ssl-crl", OPT_SSL_CRL, "CRL file in PEM format (implies --ssl).", + (uchar **) &opt_ssl_crl, (uchar **) &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG, + 0, 0, 0, 0, 0, 0}, {"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).", (uchar **) &opt_ssl_cipher, (uchar **) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, diff -rc mysql-5.1.40/include/sslopt-vars.h mysql-5.1.40-ssl-crl-support/include/sslopt-vars.h *** mysql-5.1.40/include/sslopt-vars.h 2009-10-06 13:46:51.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/include/sslopt-vars.h 2009-10-30 23:24:17.000000000 -0400 *************** *** 23,28 **** --- 23,29 ---- SSL_STATIC char *opt_ssl_ca = 0; SSL_STATIC char *opt_ssl_capath = 0; SSL_STATIC char *opt_ssl_cert = 0; + SSL_STATIC char *opt_ssl_crl = 0; SSL_STATIC char *opt_ssl_cipher = 0; SSL_STATIC char *opt_ssl_key = 0; #ifdef MYSQL_CLIENT diff -rc mysql-5.1.40/include/violite.h mysql-5.1.40-ssl-crl-support/include/violite.h *** mysql-5.1.40/include/violite.h 2009-10-06 13:46:51.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/include/violite.h 2009-11-02 08:26:46.000000000 -0500 *************** *** 128,138 **** struct st_VioSSLFd *new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, ! const char *cipher); struct st_VioSSLFd *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file,const char *ca_path, ! const char *cipher, enum enum_ssl_init_error* error); void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd); #endif /* HAVE_OPENSSL */ --- 128,139 ---- struct st_VioSSLFd *new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, ! const char *crl_file, const char *cipher); struct st_VioSSLFd *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file,const char *ca_path, ! const char *crl_file, const char *cipher, ! enum enum_ssl_init_error* error); void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd); #endif /* HAVE_OPENSSL */ diff -rc mysql-5.1.40/sql/lex.h mysql-5.1.40-ssl-crl-support/sql/lex.h *** mysql-5.1.40/sql/lex.h 2009-10-06 13:49:59.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/lex.h 2009-10-31 00:02:20.000000000 -0400 *************** *** 315,320 **** --- 315,321 ---- { "MASTER_SSL", SYM(MASTER_SSL_SYM)}, { "MASTER_SSL_CA", SYM(MASTER_SSL_CA_SYM)}, { "MASTER_SSL_CAPATH",SYM(MASTER_SSL_CAPATH_SYM)}, + { "MASTER_SSL_CRL", SYM(MASTER_SSL_CRL_SYM)}, { "MASTER_SSL_CERT", SYM(MASTER_SSL_CERT_SYM)}, { "MASTER_SSL_CIPHER",SYM(MASTER_SSL_CIPHER_SYM)}, { "MASTER_SSL_KEY", SYM(MASTER_SSL_KEY_SYM)}, diff -rc mysql-5.1.40/sql/mysqld.cc mysql-5.1.40-ssl-crl-support/sql/mysqld.cc *** mysql-5.1.40/sql/mysqld.cc 2009-10-06 13:50:01.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/mysqld.cc 2009-10-31 00:03:35.000000000 -0400 *************** *** 672,678 **** char *opt_relay_logname = 0, *opt_relaylog_index_name=0; my_bool master_ssl; char *master_ssl_key, *master_ssl_cert; ! char *master_ssl_ca, *master_ssl_capath, *master_ssl_cipher; char *opt_logname, *opt_slow_logname; /* Static variables */ --- 672,678 ---- char *opt_relay_logname = 0, *opt_relaylog_index_name=0; my_bool master_ssl; char *master_ssl_key, *master_ssl_cert; ! char *master_ssl_ca, *master_ssl_capath, *master_ssl_cipher, *master_ssl_crl; char *opt_logname, *opt_slow_logname; /* Static variables */ *************** *** 3697,3703 **** /* having ssl_acceptor_fd != 0 signals the use of SSL */ ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, ! opt_ssl_cipher, &error); DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd)); if (!ssl_acceptor_fd) { --- 3697,3703 ---- /* having ssl_acceptor_fd != 0 signals the use of SSL */ ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, ! opt_ssl_crl, opt_ssl_cipher, &error); DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd)); if (!ssl_acceptor_fd) { *************** *** 5550,5555 **** --- 5550,5556 ---- OPT_MASTER_RETRY_COUNT, OPT_LOG_TC, OPT_LOG_TC_SIZE, OPT_MASTER_SSL, OPT_MASTER_SSL_KEY, OPT_MASTER_SSL_CERT, OPT_MASTER_SSL_CAPATH, + OPT_MASTER_SSL_CRL, OPT_MASTER_SSL_CIPHER, OPT_MASTER_SSL_CA, OPT_SQL_BIN_UPDATE_SAME, OPT_REPLICATE_DO_DB, OPT_REPLICATE_IGNORE_DB, OPT_LOG_SLAVE_UPDATES, *************** *** 5594,5600 **** OPT_RELAY_LOG, OPT_RELAY_LOG_INDEX, OPT_RELAY_LOG_INFO_FILE, OPT_SLAVE_SKIP_ERRORS, OPT_DES_KEY_FILE, OPT_LOCAL_INFILE, OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, ! OPT_SSL_CAPATH, OPT_SSL_CIPHER, OPT_BACK_LOG, OPT_BINLOG_CACHE_SIZE, OPT_CONNECT_TIMEOUT, OPT_DELAYED_INSERT_TIMEOUT, OPT_DELAYED_INSERT_LIMIT, OPT_DELAYED_QUEUE_SIZE, --- 5595,5601 ---- OPT_RELAY_LOG, OPT_RELAY_LOG_INDEX, OPT_RELAY_LOG_INFO_FILE, OPT_SLAVE_SKIP_ERRORS, OPT_DES_KEY_FILE, OPT_LOCAL_INFILE, OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, ! OPT_SSL_CAPATH, OPT_SSL_CRL, OPT_SSL_CIPHER, OPT_BACK_LOG, OPT_BINLOG_CACHE_SIZE, OPT_CONNECT_TIMEOUT, OPT_DELAYED_INSERT_TIMEOUT, OPT_DELAYED_INSERT_LIMIT, OPT_DELAYED_QUEUE_SIZE, *************** *** 6076,6081 **** --- 6077,6086 ---- "Master SSL CA file. Only applies if you have enabled master-ssl.", (uchar**) &master_ssl_ca, (uchar**) &master_ssl_ca, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0}, + {"master-ssl-crl", OPT_MASTER_SSL_CRL, + "Master SSL CRL file. Only applies if you have enabled master-ssl.", + (uchar**) &master_ssl_crl, (uchar**) &master_ssl_crl, 0, GET_STR, OPT_ARG, + 0, 0, 0, 0, 0, 0}, {"master-ssl-capath", OPT_MASTER_SSL_CAPATH, "Master SSL CA path. Only applies if you have enabled master-ssl.", (uchar**) &master_ssl_capath, (uchar**) &master_ssl_capath, 0, GET_STR, OPT_ARG, *************** *** 7715,7721 **** master_password= master_host= 0; master_info_file= (char*) "master.info", relay_log_info_file= (char*) "relay-log.info"; ! master_ssl_key= master_ssl_cert= master_ssl_ca= master_ssl_capath= master_ssl_cipher= 0; report_user= report_password = report_host= 0; /* TO BE DELETED */ opt_relay_logname= opt_relaylog_index_name= 0; --- 7720,7726 ---- master_password= master_host= 0; master_info_file= (char*) "master.info", relay_log_info_file= (char*) "relay-log.info"; ! master_ssl_key= master_ssl_cert= master_ssl_ca= master_ssl_crl= master_ssl_capath= master_ssl_cipher= 0; report_user= report_password = report_host= 0; /* TO BE DELETED */ opt_relay_logname= opt_relaylog_index_name= 0; *************** *** 8177,8182 **** --- 8182,8188 ---- case OPT_MASTER_SSL_CAPATH: case OPT_MASTER_SSL_CIPHER: case OPT_MASTER_SSL_CA: + case OPT_MASTER_SSL_CRL: if (!slave_warning_issued) //only show the warning once { slave_warning_issued = true; diff -rc mysql-5.1.40/sql/repl_failsafe.cc mysql-5.1.40-ssl-crl-support/sql/repl_failsafe.cc *** mysql-5.1.40/sql/repl_failsafe.cc 2009-10-06 13:50:03.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/repl_failsafe.cc 2009-10-30 23:32:39.000000000 -0400 *************** *** 728,733 **** --- 728,734 ---- mi->ssl_cert[0]?mi->ssl_cert:0, mi->ssl_ca[0]?mi->ssl_ca:0, mi->ssl_capath[0]?mi->ssl_capath:0, + mi->ssl_crl[0]?mi->ssl_crl:0, mi->ssl_cipher[0]?mi->ssl_cipher:0); mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &mi->ssl_verify_server_cert); diff -rc mysql-5.1.40/sql/rpl_mi.cc mysql-5.1.40-ssl-crl-support/sql/rpl_mi.cc *** mysql-5.1.40/sql/rpl_mi.cc 2009-10-06 13:50:03.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/rpl_mi.cc 2009-10-30 23:35:10.000000000 -0400 *************** *** 35,41 **** { host[0] = 0; user[0] = 0; password[0] = 0; ssl_ca[0]= 0; ssl_capath[0]= 0; ssl_cert[0]= 0; ! ssl_cipher[0]= 0; ssl_key[0]= 0; bzero((char*) &file, sizeof(file)); pthread_mutex_init(&run_lock, MY_MUTEX_INIT_FAST); --- 35,41 ---- { host[0] = 0; user[0] = 0; password[0] = 0; ssl_ca[0]= 0; ssl_capath[0]= 0; ssl_cert[0]= 0; ! ssl_crl[0]= 0; ssl_cipher[0]= 0; ssl_key[0]= 0; bzero((char*) &file, sizeof(file)); pthread_mutex_init(&run_lock, MY_MUTEX_INIT_FAST); *************** *** 78,83 **** --- 78,85 ---- strmake(mi->ssl_capath, master_ssl_capath, sizeof(mi->ssl_capath)-1); if (master_ssl_cert) strmake(mi->ssl_cert, master_ssl_cert, sizeof(mi->ssl_cert)-1); + if (master_ssl_crl) + strmake(mi->ssl_crl, master_ssl_crl, sizeof(mi->ssl_crl)-1); if (master_ssl_cipher) strmake(mi->ssl_cipher, master_ssl_cipher, sizeof(mi->ssl_cipher)-1); if (master_ssl_key) *************** *** 268,273 **** --- 270,277 ---- &mi->file, master_ssl_capath) || init_strvar_from_file(mi->ssl_cert, sizeof(mi->ssl_cert), &mi->file, master_ssl_cert) || + init_strvar_from_file(mi->ssl_crl, sizeof(mi->ssl_crl), + &mi->file, master_ssl_crl) || init_strvar_from_file(mi->ssl_cipher, sizeof(mi->ssl_cipher), &mi->file, master_ssl_cipher) || init_strvar_from_file(mi->ssl_key, sizeof(mi->ssl_key), *************** *** 381,392 **** my_b_seek(file, 0L); my_b_printf(file, ! "%u\n%s\n%s\n%s\n%s\n%s\n%d\n%d\n%d\n%s\n%s\n%s\n%s\n%s\n%d\n", LINES_IN_MASTER_INFO, mi->master_log_name, llstr(mi->master_log_pos, lbuf), mi->host, mi->user, mi->password, mi->port, mi->connect_retry, (int)(mi->ssl), mi->ssl_ca, mi->ssl_capath, mi->ssl_cert, mi->ssl_cipher, mi->ssl_key, mi->ssl_verify_server_cert); DBUG_RETURN(-flush_io_cache(file)); } --- 385,397 ---- my_b_seek(file, 0L); my_b_printf(file, ! "%u\n%s\n%s\n%s\n%s\n%s\n%d\n%d\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n%d\n", LINES_IN_MASTER_INFO, mi->master_log_name, llstr(mi->master_log_pos, lbuf), mi->host, mi->user, mi->password, mi->port, mi->connect_retry, (int)(mi->ssl), mi->ssl_ca, mi->ssl_capath, mi->ssl_cert, + mi->ssl_crl, mi->ssl_cipher, mi->ssl_key, mi->ssl_verify_server_cert); DBUG_RETURN(-flush_io_cache(file)); } diff -rc mysql-5.1.40/sql/rpl_mi.h mysql-5.1.40-ssl-crl-support/sql/rpl_mi.h *** mysql-5.1.40/sql/rpl_mi.h 2009-10-06 13:50:03.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/rpl_mi.h 2009-10-30 23:35:32.000000000 -0400 *************** *** 68,74 **** char password[MAX_PASSWORD_LENGTH+1]; my_bool ssl; // enables use of SSL connection if true char ssl_ca[FN_REFLEN], ssl_capath[FN_REFLEN], ssl_cert[FN_REFLEN]; ! char ssl_cipher[FN_REFLEN], ssl_key[FN_REFLEN]; my_bool ssl_verify_server_cert; my_off_t master_log_pos; --- 68,74 ---- char password[MAX_PASSWORD_LENGTH+1]; my_bool ssl; // enables use of SSL connection if true char ssl_ca[FN_REFLEN], ssl_capath[FN_REFLEN], ssl_cert[FN_REFLEN]; ! char ssl_cipher[FN_REFLEN], ssl_key[FN_REFLEN], ssl_crl[FN_REFLEN]; my_bool ssl_verify_server_cert; my_off_t master_log_pos; diff -rc mysql-5.1.40/sql/set_var.cc mysql-5.1.40-ssl-crl-support/sql/set_var.cc *** mysql-5.1.40/sql/set_var.cc 2009-10-06 13:50:03.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/set_var.cc 2009-10-30 23:36:22.000000000 -0400 *************** *** 594,611 **** &SV::sql_mode); #ifdef HAVE_OPENSSL extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher, ! *opt_ssl_key; static sys_var_const_os_str_ptr sys_ssl_ca(&vars, "ssl_ca", &opt_ssl_ca); static sys_var_const_os_str_ptr sys_ssl_capath(&vars, "ssl_capath", &opt_ssl_capath); static sys_var_const_os_str_ptr sys_ssl_cert(&vars, "ssl_cert", &opt_ssl_cert); static sys_var_const_os_str_ptr sys_ssl_cipher(&vars, "ssl_cipher", &opt_ssl_cipher); static sys_var_const_os_str_ptr sys_ssl_key(&vars, "ssl_key", &opt_ssl_key); #else static sys_var_const_os_str sys_ssl_ca(&vars, "ssl_ca", NULL); static sys_var_const_os_str sys_ssl_capath(&vars, "ssl_capath", NULL); static sys_var_const_os_str sys_ssl_cert(&vars, "ssl_cert", NULL); static sys_var_const_os_str sys_ssl_cipher(&vars, "ssl_cipher", NULL); static sys_var_const_os_str sys_ssl_key(&vars, "ssl_key", NULL); #endif static sys_var_thd_enum sys_updatable_views_with_limit(&vars, "updatable_views_with_limit", --- 594,613 ---- &SV::sql_mode); #ifdef HAVE_OPENSSL extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher, ! *opt_ssl_key, *opt_ssl_crl; static sys_var_const_os_str_ptr sys_ssl_ca(&vars, "ssl_ca", &opt_ssl_ca); static sys_var_const_os_str_ptr sys_ssl_capath(&vars, "ssl_capath", &opt_ssl_capath); static sys_var_const_os_str_ptr sys_ssl_cert(&vars, "ssl_cert", &opt_ssl_cert); static sys_var_const_os_str_ptr sys_ssl_cipher(&vars, "ssl_cipher", &opt_ssl_cipher); static sys_var_const_os_str_ptr sys_ssl_key(&vars, "ssl_key", &opt_ssl_key); + static sys_var_const_os_str_ptr sys_ssl_crl(&vars, "ssl_crl", &opt_ssl_crl); #else static sys_var_const_os_str sys_ssl_ca(&vars, "ssl_ca", NULL); static sys_var_const_os_str sys_ssl_capath(&vars, "ssl_capath", NULL); static sys_var_const_os_str sys_ssl_cert(&vars, "ssl_cert", NULL); static sys_var_const_os_str sys_ssl_cipher(&vars, "ssl_cipher", NULL); static sys_var_const_os_str sys_ssl_key(&vars, "ssl_key", NULL); + static sys_var_const_os_str sys_ssl_crl(&vars, "ssl_crl", NULL); #endif static sys_var_thd_enum sys_updatable_views_with_limit(&vars, "updatable_views_with_limit", diff -rc mysql-5.1.40/sql/slave.cc mysql-5.1.40-ssl-crl-support/sql/slave.cc *** mysql-5.1.40/sql/slave.cc 2009-10-06 13:50:04.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/slave.cc 2009-10-30 23:37:35.000000000 -0400 *************** *** 1592,1597 **** --- 1592,1599 ---- sizeof(mi->ssl_capath))); field_list.push_back(new Item_empty_string("Master_SSL_Cert", sizeof(mi->ssl_cert))); + field_list.push_back(new Item_empty_string("Master_SSL_CRL", + sizeof(mi->ssl_crl))); field_list.push_back(new Item_empty_string("Master_SSL_Cipher", sizeof(mi->ssl_cipher))); field_list.push_back(new Item_empty_string("Master_SSL_Key", *************** *** 1678,1683 **** --- 1680,1686 ---- protocol->store(mi->ssl_cert, &my_charset_bin); protocol->store(mi->ssl_cipher, &my_charset_bin); protocol->store(mi->ssl_key, &my_charset_bin); + protocol->store(mi->ssl_crl, &my_charset_bin); /* Seconds_Behind_Master: if SQL thread is running and I/O thread is *************** *** 3825,3830 **** --- 3828,3834 ---- mi->ssl_cert[0]?mi->ssl_cert:0, mi->ssl_ca[0]?mi->ssl_ca:0, mi->ssl_capath[0]?mi->ssl_capath:0, + mi->ssl_crl[0]?mi->ssl_crl:0, mi->ssl_cipher[0]?mi->ssl_cipher:0); mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &mi->ssl_verify_server_cert); diff -rc mysql-5.1.40/sql/slave.h mysql-5.1.40-ssl-crl-support/sql/slave.h *** mysql-5.1.40/sql/slave.h 2009-10-06 13:50:04.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/slave.h 2009-10-30 23:37:45.000000000 -0400 *************** *** 210,216 **** extern my_bool master_ssl; extern char *master_ssl_ca, *master_ssl_capath, *master_ssl_cert; ! extern char *master_ssl_cipher, *master_ssl_key; extern I_List threads; --- 210,216 ---- extern my_bool master_ssl; extern char *master_ssl_ca, *master_ssl_capath, *master_ssl_cert; ! extern char *master_ssl_cipher, *master_ssl_key, *master_ssl_crl; extern I_List threads; diff -rc mysql-5.1.40/sql/sql_lex.h mysql-5.1.40-ssl-crl-support/sql/sql_lex.h *** mysql-5.1.40/sql/sql_lex.h 2009-10-06 13:50:07.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/sql_lex.h 2009-10-30 23:37:55.000000000 -0400 *************** *** 211,217 **** */ enum {SSL_UNCHANGED, SSL_DISABLE, SSL_ENABLE} ssl, ssl_verify_server_cert; ! char *ssl_key, *ssl_cert, *ssl_ca, *ssl_capath, *ssl_cipher; char *relay_log_name; ulong relay_log_pos; } LEX_MASTER_INFO; --- 211,217 ---- */ enum {SSL_UNCHANGED, SSL_DISABLE, SSL_ENABLE} ssl, ssl_verify_server_cert; ! char *ssl_key, *ssl_cert, *ssl_ca, *ssl_capath, *ssl_cipher, *ssl_crl; char *relay_log_name; ulong relay_log_pos; } LEX_MASTER_INFO; diff -rc mysql-5.1.40/sql/sql_repl.cc mysql-5.1.40-ssl-crl-support/sql/sql_repl.cc *** mysql-5.1.40/sql/sql_repl.cc 2009-10-06 13:50:08.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/sql_repl.cc 2009-10-30 23:38:36.000000000 -0400 *************** *** 1207,1216 **** strmake(mi->ssl_cipher, lex_mi->ssl_cipher, sizeof(mi->ssl_cipher)-1); if (lex_mi->ssl_key) strmake(mi->ssl_key, lex_mi->ssl_key, sizeof(mi->ssl_key)-1); #ifndef HAVE_OPENSSL if (lex_mi->ssl || lex_mi->ssl_ca || lex_mi->ssl_capath || lex_mi->ssl_cert || lex_mi->ssl_cipher || lex_mi->ssl_key || ! lex_mi->ssl_verify_server_cert ) push_warning(thd, MYSQL_ERROR::WARN_LEVEL_NOTE, ER_SLAVE_IGNORED_SSL_PARAMS, ER(ER_SLAVE_IGNORED_SSL_PARAMS)); #endif --- 1207,1218 ---- strmake(mi->ssl_cipher, lex_mi->ssl_cipher, sizeof(mi->ssl_cipher)-1); if (lex_mi->ssl_key) strmake(mi->ssl_key, lex_mi->ssl_key, sizeof(mi->ssl_key)-1); + if (lex_mi->ssl_crl) + strmake(mi->ssl_crl, lex_mi->ssl_crl, sizeof(mi->ssl_crl)-1); #ifndef HAVE_OPENSSL if (lex_mi->ssl || lex_mi->ssl_ca || lex_mi->ssl_capath || lex_mi->ssl_cert || lex_mi->ssl_cipher || lex_mi->ssl_key || ! lex_mi->ssl_crl || lex_mi->ssl_verify_server_cert ) push_warning(thd, MYSQL_ERROR::WARN_LEVEL_NOTE, ER_SLAVE_IGNORED_SSL_PARAMS, ER(ER_SLAVE_IGNORED_SSL_PARAMS)); #endif diff -rc mysql-5.1.40/sql/sql_yacc.yy mysql-5.1.40-ssl-crl-support/sql/sql_yacc.yy *** mysql-5.1.40/sql/sql_yacc.yy 2009-10-06 13:50:10.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/sql/sql_yacc.yy 2009-11-02 08:42:53.000000000 -0500 *************** *** 807,812 **** --- 807,813 ---- %token MASTER_SERVER_ID_SYM %token MASTER_SSL_CAPATH_SYM %token MASTER_SSL_CA_SYM + %token MASTER_SSL_CRL_SYM %token MASTER_SSL_CERT_SYM %token MASTER_SSL_CIPHER_SYM %token MASTER_SSL_KEY_SYM *************** *** 1602,1607 **** --- 1603,1612 ---- { Lex->mi.ssl_capath= $3.str; } + | MASTER_SSL_CRL_SYM EQ TEXT_STRING_sys + { + Lex->mi.ssl_crl= $3.str; + } | MASTER_SSL_CERT_SYM EQ TEXT_STRING_sys { Lex->mi.ssl_cert= $3.str; *************** *** 11523,11528 **** --- 11528,11534 ---- | MASTER_SSL_SYM {} | MASTER_SSL_CA_SYM {} | MASTER_SSL_CAPATH_SYM {} + | MASTER_SSL_CRL_SYM {} | MASTER_SSL_CERT_SYM {} | MASTER_SSL_CIPHER_SYM {} | MASTER_SSL_KEY_SYM {} diff -rc mysql-5.1.40/sql-common/client.c mysql-5.1.40-ssl-crl-support/sql-common/client.c *** mysql-5.1.40/sql-common/client.c 2009-11-02 07:23:11.000000000 -0500 --- mysql-5.1.40-ssl-crl-support/sql-common/client.c 2009-11-02 07:24:35.000000000 -0500 *************** *** 1616,1622 **** mysql->options.ssl_cert= strdup_if_not_null(cert); mysql->options.ssl_ca= strdup_if_not_null(ca); mysql->options.ssl_capath= strdup_if_not_null(capath); ! mysql->options.ssl_crl= strdup_if_not_null(crl); mysql->options.ssl_cipher= strdup_if_not_null(cipher); #endif /* HAVE_OPENSSL */ DBUG_RETURN(0); --- 1616,1622 ---- mysql->options.ssl_cert= strdup_if_not_null(cert); mysql->options.ssl_ca= strdup_if_not_null(ca); mysql->options.ssl_capath= strdup_if_not_null(capath); ! mysql->options.ssl_crl= strdup_if_not_null(capath); mysql->options.ssl_cipher= strdup_if_not_null(cipher); #endif /* HAVE_OPENSSL */ DBUG_RETURN(0); *************** *** 1650,1655 **** --- 1650,1656 ---- mysql->options.ssl_ca = 0; mysql->options.ssl_capath = 0; mysql->options.ssl_cipher= 0; + mysql->options.ssl_crl= 0; mysql->options.use_ssl = FALSE; mysql->connector_fd = 0; DBUG_VOID_RETURN; *************** *** 2261,2267 **** #ifdef HAVE_OPENSSL if (mysql->options.ssl_key || mysql->options.ssl_cert || mysql->options.ssl_ca || mysql->options.ssl_capath || ! mysql->options.ssl_cipher) mysql->options.use_ssl= 1; if (mysql->options.use_ssl) client_flag|=CLIENT_SSL; --- 2262,2268 ---- #ifdef HAVE_OPENSSL if (mysql->options.ssl_key || mysql->options.ssl_cert || mysql->options.ssl_ca || mysql->options.ssl_capath || ! mysql->options.ssl_crl || mysql->options.ssl_cipher) mysql->options.use_ssl= 1; if (mysql->options.use_ssl) client_flag|=CLIENT_SSL; *************** *** 2319,2324 **** --- 2320,2326 ---- options->ssl_cert, options->ssl_ca, options->ssl_capath, + options->ssl_crl, options->ssl_cipher))) { set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); diff -rc mysql-5.1.40/vio/viosslfactories.c mysql-5.1.40-ssl-crl-support/vio/viosslfactories.c *** mysql-5.1.40/vio/viosslfactories.c 2009-10-06 13:50:51.000000000 -0400 --- mysql-5.1.40-ssl-crl-support/vio/viosslfactories.c 2009-11-02 10:14:04.000000000 -0500 *************** *** 248,253 **** --- 248,254 ---- static struct st_VioSSLFd * new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, + const char *crl_file, const char *cipher, SSL_METHOD *method, enum enum_ssl_init_error* error) { *************** *** 256,270 **** DBUG_ENTER("new_VioSSLFd"); DBUG_PRINT("enter", ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' " ! "cipher: '%s'", key_file ? key_file : "NULL", cert_file ? cert_file : "NULL", ca_file ? ca_file : "NULL", ca_path ? ca_path : "NULL", cipher ? cipher : "NULL")); check_ssl_init(); - if (!(ssl_fd= ((struct st_VioSSLFd*) my_malloc(sizeof(struct st_VioSSLFd),MYF(0))))) DBUG_RETURN(0); --- 257,271 ---- DBUG_ENTER("new_VioSSLFd"); DBUG_PRINT("enter", ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' " ! "crl_file: '%s' cipher: '%s'", key_file ? key_file : "NULL", cert_file ? cert_file : "NULL", ca_file ? ca_file : "NULL", ca_path ? ca_path : "NULL", + crl_file ? crl_file : "NULL", cipher ? cipher : "NULL")); check_ssl_init(); if (!(ssl_fd= ((struct st_VioSSLFd*) my_malloc(sizeof(struct st_VioSSLFd),MYF(0))))) DBUG_RETURN(0); *************** *** 309,314 **** --- 310,354 ---- } } + if (crl_file) + { + DBUG_PRINT("error", ("configuring SSL to use CRL file")); + /* Even the openssl source code doesn't error check these calls */ + X509_STORE_set_flags( SSL_CTX_get_cert_store(ssl_fd->ssl_context), + X509_V_FLAG_CRL_CHECK ); + BIO *bio = BIO_new_file( crl_file, "r" ); + if ( bio == NULL ) + { + *error= SSL_INITERR_BAD_PATHS; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); + } + + X509_CRL *crl = PEM_read_bio_X509_CRL( bio, NULL, NULL, NULL ); + if ( crl == NULL ) + { + DBUG_PRINT("error", ("unable to load CRL")); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); + } + + if ( X509_STORE_add_crl(SSL_CTX_get_cert_store(ssl_fd->ssl_context), + crl) == NULL ) + { + DBUG_PRINT("error", ("unable to add CRL to SSL context")); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); + } + + } + if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error)) { DBUG_PRINT("error", ("vio_set_cert_stuff failed")); *************** *** 333,339 **** struct st_VioSSLFd * new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, ! const char *cipher) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER; --- 373,379 ---- struct st_VioSSLFd * new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, ! const char *crl_file, const char *cipher) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER; *************** *** 347,353 **** verify= SSL_VERIFY_NONE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ! ca_path, cipher, TLSv1_client_method(), &dummy))) { return 0; } --- 387,393 ---- verify= SSL_VERIFY_NONE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ! ca_path, crl_file, cipher, TLSv1_client_method(), &dummy))) { return 0; } *************** *** 368,379 **** struct st_VioSSLFd * new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, ! const char *cipher, enum enum_ssl_init_error* error) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ! ca_path, cipher, TLSv1_server_method(), error))) { return 0; } --- 408,420 ---- struct st_VioSSLFd * new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, ! const char *crl_file, const char *cipher, ! enum enum_ssl_init_error* error) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ! ca_path, crl_file, cipher, TLSv1_server_method(), error))) { return 0; }