Bug#499432: libsasl2-modules-sql: SSL connection to mysql server fails
Jochen Friedrich
jochen at scram.de
Thu Sep 18 16:55:03 UTC 2008
Package: libsasl2-modules-sql
Version: 2.1.22.dfsg1-8
Severity: normal
When specifying "sql_usessl: 1" in the sasl configuration file, any
authentication will fail with this error messages in auth.log:
sql plugin trying to open db 'XXXX' on host 'a.b.c.d' using SSL
sql plugin could not connect to host a.b.c.d
sql plugin couldn't connect to any host
The reason is a wrong usage of the mysql API in plugins/sql.c. This line
sets the CLIENT_SSL flag in mysql_real_connect:
return mysql_real_connect(mysql, host, user, password, database,
port ? strtoul(port, NULL, 10) : 0, NULL,
usessl ? CLIENT_SSL : 0);
According to http://dev.mysql.com/doc/refman/5.0/en/mysql-real-connect.html,
mysql_ssl_set() should be used instead.
If I replace this line by:
if (usessl)
mysql_ssl_set(mysql, NULL, NULL, "<hardcoded path to my CA>", NULL, NULL);
return mysql_real_connect(mysql, host, user, password, database,
port ? strtoul(port, NULL, 10) : 0, NULL,
0);
Then SSL connections work OK for me.
So, the variable sql_usessl is completely unusable. It should probably
replaced by
sql_ssl_key
sql_ssl_cert
sql_ssl_ca
sql_ssl_capath
sql_ssl_cipher
parameters.
Thanks,
Jochen
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686-bigmem
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Versions of packages libsasl2-modules-sql depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii libmysqlclient15off 5.0.32-7etch6 mysql database client library
ii libpq4 8.1.11-0etch1 PostgreSQL C client library
ii libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules f
ii libsqlite0 2.8.17-2 SQLite shared library
libsasl2-modules-sql recommends no packages.
-- no debconf information
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list