WL#7198: Add SSL support for mysqlbinlog

Affects: Server-5.7 — Status: Complete

Description
High Level Architecture
Low Level Design

Summary
=======
This worklog adds SSL options for mysqlbinlog client program, allowing system
administrators to perform remote binlog queries (--read-from-remote-server
option) over secure connections.

Of current MySQL client programs, mysqlbinlog is the only one without SSL support.

The implementation should use the same SSL options available on the others MySQL
client programs.

References
==========
Bug#11751199

High-Level Specification
========================

All MySQL client tools supporting SSL use the same set of SSL options to
configure SSL support into a MySQL client connection with a given MySQL server.

The code for supporting these SSL options in command line parameters, for
creating SSL options variables (using its defaults) and for handling the SSL
options during command line options evaluation already exists and is distributed
in three include files.

The behavior of mysqlbinlog client program using SSL options will be the same as
other MySQL client tools behavior, with same SSL options and same SSL defaults.

No specific SSL functionality will be added only to mysqlbinlog client program.

Future changes in SSL options for MySQL client tools will be supported by
mysqlbinlog client program without the need of new worklogs. 

Interface Specification
=======================

Interface changes:
I-1: The usage message of mysqbinlog client program will display 
     all SSL related options supported:

  --ssl               Enable SSL for connection (automatically enabled with
                      other flags).
  --ssl-ca=name       CA file in PEM format (check OpenSSL docs, implies
                      --ssl).
  --ssl-capath=name   CA directory (check OpenSSL docs, implies --ssl).
  --ssl-cert=name     X509 cert in PEM format (implies --ssl).
  --ssl-cipher=name   SSL cipher to use (implies --ssl).
  --ssl-key=name      X509 key in PEM format (implies --ssl).
  --ssl-crl=name      Certificate revocation list (implies --ssl).
  --ssl-crlpath=name  Certificate revocation list path (implies --ssl).
  --ssl-verify-server-cert 
                      Verify server's "Common Name" in its cert against
                      hostname used when connecting. This option is disabled by
                      default.

I-2: The variables list of mysqbinlog client program will display 
     all SSL related variables and their default values:

   ssl                               FALSE
   ssl-ca                            (No default value)
   ssl-capath                        (No default value)
   ssl-cert                          (No default value)
   ssl-cipher                        (No default value)
   ssl-key                           (No default value)
   ssl-crl                           (No default value)
   ssl-crlpath                       (No default value)
   ssl-verify-server-cert            FALSE

Low-Level Design Specification
==============================
Affected files:
- client/mysqlbinlog.cc

The specified SSL options are already supported by other MySQL client tools.

To support these SSL options, MySQL client tools use three includes:
- sslopt-longopts.h
  includes all the command line SSL options to the options supported by the
  client tool;
- sslopt-vars.h
  includes all variables needed to handle the SSL options by the client tool;
- sslopt-case.h
  includes all the code about handling the SSL options when evaluating the
  command line options passed to the client tool;

Also, MySQL client tools have to add the SSL options passed to the MySQL
connection, so the client could effectively use SSL on its connection. For this,
client tools use:
- mysql_ssl_set function to fill in SSL part of MYSQL structure and set
  'use_ssl' flag;
- mysql_options function to add information about the certificate revocation
  list and the certificate revocation list path;
- mysql_options function to add the option to verify server "Common Name"
  informed in server's certificate against the hostname used when connecting;

Our patch will use the above described strategy to add SSL support to
mysqlbinlog client program.

Pseudo-code specification for client/mysqlbinlog.cc
===================================================

[..] // In the includes section
#include 
[..]

[..] // In static struct my_option my_long_options[] =
#include 
[..]

[..] // In switch (optid) @ get_one_option
#include 
[..]

[..] // In static Exit_status safe_connect()
#ifdef HAVE_OPENSSL
  if (opt_use_ssl)
  {
    mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
                  opt_ssl_capath, opt_ssl_cipher);
    mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
  }
  mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                (char*) &opt_ssl_verify_server_cert);
#endif
[..]