MySQL  8.0.18
Source Code Documentation
ssl_acceptor_context.cc File Reference

SslAcceptorContext implementation. More...

#include "sql/ssl_acceptor_context.h"
#include <my_dir.h>
#include <sql/mysqld.h>
#include "my_config.h"
#include "mysql.h"
#include "mysql/components/services/log_builtins.h"
#include "sql/auth/auth_common.h"
#include "sql/options_mysqld.h"
#include "sql/sql_initialize.h"
#include "sql/sys_vars.h"

Functions

static char * my_asn1_time_to_string (ASN1_TIME *time, char *buf, int len)
 
static const char * verify_store_cert (SSL_CTX *ctx, SSL *ssl)
 Verifies the server certificate for formal validity and against the CA certificates if specified. More...
 
static int warn_one (const char *file_name)
 

Variables

static const char * opt_ssl_ca = nullptr
 SSL context options. More...
 
static const char * opt_ssl_key = nullptr
 
static const char * opt_ssl_cert = nullptr
 
static char * opt_ssl_capath = NULL
 
static char * opt_ssl_cipher = NULL
 
static char * opt_tls_ciphersuites = NULL
 
static char * opt_ssl_crl = NULL
 
static char * opt_ssl_crlpath = NULL
 
static char * opt_tls_version = NULL
 
static PolyLock_mutex lock_ssl_ctx & LOCK_tls_ctx_options
 
static Sys_var_charptr Sys_ssl_ca ("ssl_ca", "CA file in PEM format (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_ca), CMD_LINE(REQUIRED_ARG, OPT_SSL_CA), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_ssl_capath ("ssl_capath", "CA directory (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_capath), CMD_LINE(REQUIRED_ARG, OPT_SSL_CAPATH), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_tls_version ("tls_version", "TLS version, permitted values are TLSv1, TLSv1.1, TLSv1.2, TLSv1.3", PERSIST_AS_READONLY GLOBAL_VAR(opt_tls_version), CMD_LINE(REQUIRED_ARG, OPT_TLS_VERSION), IN_FS_CHARSET, "TLSv1,TLSv1.1,TLSv1.2", &lock_ssl_ctx)
 
static Sys_var_charptr Sys_ssl_cert ("ssl_cert", "X509 cert in PEM format (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_cert), CMD_LINE(REQUIRED_ARG, OPT_SSL_CERT), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_ssl_cipher ("ssl_cipher", "SSL cipher to use (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_cipher), CMD_LINE(REQUIRED_ARG, OPT_SSL_CIPHER), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_tls_ciphersuites ("tls_ciphersuites", "TLS v1.3 ciphersuite to use (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_tls_ciphersuites), CMD_LINE(REQUIRED_ARG, OPT_TLS_CIPHERSUITES), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_ssl_key ("ssl_key", "X509 key in PEM format (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_key), CMD_LINE(REQUIRED_ARG, OPT_SSL_KEY), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_ssl_crl ("ssl_crl", "CRL file in PEM format (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_crl), CMD_LINE(REQUIRED_ARG, OPT_SSL_CRL), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 
static Sys_var_charptr Sys_ssl_crlpath ("ssl_crlpath", "CRL directory (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_crlpath), CMD_LINE(REQUIRED_ARG, OPT_SSL_CRLPATH), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
 

Detailed Description

SslAcceptorContext implementation.

Function Documentation

◆ my_asn1_time_to_string()

static char* my_asn1_time_to_string ( ASN1_TIME *  time,
char *  buf,
int  len 
)
static

◆ verify_store_cert()

static const char* verify_store_cert ( SSL_CTX *  ctx,
SSL *  ssl 
)
static

Verifies the server certificate for formal validity and against the CA certificates if specified.

This verifies things like expiration dates, full certificate chains present etc.

Parameters
ctxThe listening SSL context with all certificates installed
sslAn SSL handle to extract the certificate from.
Return values
NULLNo errors found
non-nullThe text of the error from the library

◆ warn_one()

static int warn_one ( const char *  file_name)
static

Variable Documentation

◆ LOCK_tls_ctx_options

PolyLock_mutex lock_ssl_ctx& LOCK_tls_ctx_options
static

◆ opt_ssl_ca

const char* opt_ssl_ca = nullptr
static

SSL context options.

Ideally these would have been static members of the SslAcceptorContext class, but since Sys_var classes are such that they need these as parameters to global instances we do the next best thing and make these static so that the visibility is confined to the current file

◆ opt_ssl_capath

char* opt_ssl_capath = NULL
static

◆ opt_ssl_cert

const char* opt_ssl_cert = nullptr
static

◆ opt_ssl_cipher

char * opt_ssl_cipher = NULL
static

◆ opt_ssl_crl

char * opt_ssl_crl = NULL
static

◆ opt_ssl_crlpath

char * opt_ssl_crlpath = NULL
static

◆ opt_ssl_key

const char* opt_ssl_key = nullptr
static

◆ opt_tls_ciphersuites

char * opt_tls_ciphersuites = NULL
static

◆ opt_tls_version

char * opt_tls_version = NULL
static

◆ Sys_ssl_ca

Sys_var_charptr Sys_ssl_ca("ssl_ca", "CA file in PEM format (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_ca), CMD_LINE(REQUIRED_ARG, OPT_SSL_CA), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_ssl_capath

Sys_var_charptr Sys_ssl_capath("ssl_capath", "CA directory (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_capath), CMD_LINE(REQUIRED_ARG, OPT_SSL_CAPATH), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_ssl_cert

Sys_var_charptr Sys_ssl_cert("ssl_cert", "X509 cert in PEM format (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_cert), CMD_LINE(REQUIRED_ARG, OPT_SSL_CERT), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_ssl_cipher

Sys_var_charptr Sys_ssl_cipher("ssl_cipher", "SSL cipher to use (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_cipher), CMD_LINE(REQUIRED_ARG, OPT_SSL_CIPHER), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_ssl_crl

Sys_var_charptr Sys_ssl_crl("ssl_crl", "CRL file in PEM format (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_crl), CMD_LINE(REQUIRED_ARG, OPT_SSL_CRL), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_ssl_crlpath

Sys_var_charptr Sys_ssl_crlpath("ssl_crlpath", "CRL directory (check OpenSSL docs, implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_crlpath), CMD_LINE(REQUIRED_ARG, OPT_SSL_CRLPATH), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_ssl_key

Sys_var_charptr Sys_ssl_key("ssl_key", "X509 key in PEM format (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_ssl_key), CMD_LINE(REQUIRED_ARG, OPT_SSL_KEY), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_tls_ciphersuites

Sys_var_charptr Sys_tls_ciphersuites("tls_ciphersuites", "TLS v1.3 ciphersuite to use (implies --ssl)", PERSIST_AS_READONLY GLOBAL_VAR(opt_tls_ciphersuites), CMD_LINE(REQUIRED_ARG, OPT_TLS_CIPHERSUITES), IN_FS_CHARSET, DEFAULT(0), &lock_ssl_ctx)
static

◆ Sys_tls_version

Sys_var_charptr Sys_tls_version("tls_version", "TLS version, permitted values are TLSv1, TLSv1.1, TLSv1.2, TLSv1.3", PERSIST_AS_READONLY GLOBAL_VAR(opt_tls_version), CMD_LINE(REQUIRED_ARG, OPT_TLS_VERSION), IN_FS_CHARSET, "TLSv1,TLSv1.1,TLSv1.2", &lock_ssl_ctx)
static