8ac718f8496a6fbfbf00248a68e740a10c0bcf81 galt Tue Nov 26 00:42:19 2024 -0800 This change accomodates upgrade to openssl3.3 and mariadb10 using custom-compiled libmariadb.a. These files are in /cluster/software/maridb and /cluster/software/openssl. refs #34014,#27440. It also handles the new mariadb 10 and 11 that have configuration with ssl turned on by default. diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c index 8a5f154..fa108dc 100644 --- src/hg/lib/jksql.c +++ src/hg/lib/jksql.c @@ -1114,38 +1114,49 @@ if (addAsOpen) sc->node = dlAddValTail(sqlOpenConnections, sc); long oldTime = monitorEnterTime; monitorEnterTime = 0; monitorEnter(); if ((sc->conn = conn = mysql_init(NULL)) == NULL) // no need for monitorLeave here errAbort("Couldn't connect to mySQL."); // Fix problem where client LOCAL setting is disabled by default for security mysql_options(conn, MYSQL_OPT_LOCAL_INFILE, NULL); // Boolean option to tell client to verify that the host server certificate Subject CN equals the hostname. // If turned on this can defeat Man-In-The-Middle attacks. -if (sp->verifyServerCert && !sameString(sp->verifyServerCert,"0")) + +if (sp->verifyServerCert && !sameString(sp->verifyServerCert,"0")) // TURN VERIFICATION ON { #if !defined(MARIADB_VERSION_ID) && MYSQL_VERSION_ID >= 80000 mysql_options(conn, MYSQL_OPT_SSL_MODE, SSL_MODE_REQUIRED); #else my_bool flag = TRUE; mysql_options(conn, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &flag); #endif + + } +else // TURN VERIFICATION OFF + { + #if !defined(MARIADB_VERSION_ID) && MYSQL_VERSION_ID >= 80000 // OVER-RIDE DEFAULT COMPILED IN. + mysql_options(conn, MYSQL_OPT_SSL_MODE, SSL_MODE_PREFERRED); + #else + my_bool flag = FALSE; + mysql_options(conn, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &flag); + #endif } #if (MYSQL_VERSION_ID >= 50603) // mysql version "5.6.3" // If certificate revocation list file provided, set mysql option if (sp->crl) mysql_options(conn, MYSQL_OPT_SSL_CRL, &sp->crl); // If path to directory with crl files provided, set mysql option if (sp->crlPath) mysql_options(conn, MYSQL_OPT_SSL_CRLPATH, &sp->crlPath); #endif if (sp->key || sp->cert || sp->ca || sp->caPath || sp->cipher) mysql_ssl_set(conn, sp->key, sp->cert, sp->ca, sp->caPath, sp->cipher);