[debian-mysql] Bug#630625: mysql-client-5.1: add support for properly chained SSL certificates and linking against OpenSSL

Mark Nipper nipsy at bitgnome.net
Wed Jun 15 17:02:50 UTC 2011 

Package: mysql-client-5.1
Version: 5.1.57-1.3
Severity: wishlist
Tags: patch

	Having recently configured MySQL 5.1 for the first time to
properly support SSL certificates under RHEL 6, I found out that the
Debian version of the MySQL 5.1 library does not correctly connect to
such servers because MySQL 5.1 itself doesn't correctly support chained
SSL certificates, which are commonly used pretty much everywhere.

	Fixing this in Debian seems like an important thing to do since
a lot of the RPM based distributions will be adopting this because of
the Red Hat change.  And more importantly, it just seems like the right
thing to do, implementing proper SSL functionality.  This does mean that
the MySQL 5.1 packages would need to be linked against OpenSSL
explicitly though, which may have been changed in the past for some
reason I'm not finding elsewhere.  Maybe it's an architecture issue.

	Even so, I think it should be fixed where it can be, even if it
means linking against OpenSSL.  I'm not sure where the Debian MySQL
packages fall concerning the OpenSSL licensing exception.  Looking at:
---
http://www.mysql.com/about/legal/licensing/foss-exception/

it seems that OpenSSL is explicitly allowed when linking the MySQL
libraries, so it seems like this should be acceptable from a legal point
of view but, I am not a lawyer.

	Anyway, I'm attaching the patch I've been using from the Red Hat
source RPM.  The Red Hat bug is:
---
https://bugzilla.redhat.com/show_bug.cgi?id=598656

and the MySQL bug is:
---
http://bugs.mysql.com/bug.php?id=54158

The patch not only adds the chained certificate support when linking
against OpenSSL, but also fixes yassl to not break in the presence of
this fix.

All I've had to change to get this to work after patching is to change
"--with--ssl" to "--with-ssl=/usr/lib" in debian/rules and then rebuild
the package.  I've also been commenting out the test suite in the same
file, even though it should pass with this patch.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mysql-client-5.1 depends on:
ii  debianutils             4.0.1            Miscellaneous utilities specific t
ii  libc6                   2.13-4           Embedded GNU C Library: Shared lib
ii  libdbd-mysql-perl       4.018-1+b1       Perl5 database interface to the My
ii  libdbi-perl             1.616-1+b1       Perl Database Interface (DBI)
ii  libgcc1                 1:4.6.0-10       GCC support library
ii  libmysqlclient16        5.1.57-1.3       MySQL database client library
ii  libncurses5             5.9-1            shared libraries for terminal hand
ii  libreadline6            6.2-2            GNU readline and history libraries
ii  libstdc++6              4.6.0-10         The GNU Standard C++ Library v3
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  mysql-common            5.1.57-1.3       MySQL database common files, e.g. 
ii  perl                    5.12.3-7+b1      Larry Wall's Practical Extraction 
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

mysql-client-5.1 recommends no packages.

Versions of packages mysql-client-5.1 suggests:
ii  libterm-readkey-perl          2.30-4+b1  A perl module for simple terminal 

-- no debconf information
-------------- next part --------------
Fix things so that chains of certificates work in the server and client
certificate files.

This only really works for OpenSSL-based builds, as yassl is unable to read
multiple certificates from a file.  The patch below to yassl/src/ssl.cpp
doesn't fix that, but just arranges that the viosslfactories.c patch won't
have any ill effects in a yassl build.  Since we don't use yassl in Red Hat/
Fedora builds, I'm not feeling motivated to try to fix yassl for this.

See RH bug #598656.  Filed upstream at http://bugs.mysql.com/bug.php?id=54158


diff -Naur mysql-5.1.47.orig/vio/viosslfactories.c mysql-5.1.47/vio/viosslfactories.c
--- mysql-5.1.47.orig/vio/viosslfactories.c	2010-05-06 11:28:07.000000000 -0400
+++ mysql-5.1.47/vio/viosslfactories.c	2010-05-26 23:23:46.000000000 -0400
@@ -100,7 +100,7 @@
 		       (long) ctx, cert_file, key_file));
   if (cert_file)
   {
-    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+    if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
     {
       *error= SSL_INITERR_CERT;
       DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
diff -Naur mysql-5.1.47.orig/extra/yassl/src/ssl.cpp mysql-5.1.47/extra/yassl/src/ssl.cpp
--- mysql-5.1.47.orig/extra/yassl/src/ssl.cpp	2010-05-06 11:24:26.000000000 -0400
+++ mysql-5.1.47/extra/yassl/src/ssl.cpp	2010-05-26 23:29:13.000000000 -0400
@@ -1606,10 +1606,10 @@
     }
 
 
-    int SSL_CTX_use_certificate_chain_file(SSL_CTX*, const char*)
+    int SSL_CTX_use_certificate_chain_file(SSL_CTX* ctx, const char* file)
     {
-        // TDOD:
-        return SSL_SUCCESS;
+        // For the moment, treat like use_certificate_file
+        return read_file(ctx, file, SSL_FILETYPE_PEM, Cert);
     }

More information about the pkg-mysql-maint mailing list