Bug#499432: libsasl2-modules-sql: SSL connection to mysql server fails

Roberto C. Sánchez roberto at connexer.com
Fri Sep 19 21:40:19 EDT 2008


[ Please be sure to keep the Debian bug address in the CC ]

The below report was submitted as a bug against the Debian package of
cyrus-sasl2.  I am not versed in MySQL at all, so I wonder if someone
else could have a look at it and provide an opinion on it or perhaps
a fix.

Regards,

-Roberto

On Thu, Sep 18, 2008 at 06:55:03PM +0200, Jochen Friedrich wrote:
> Package: libsasl2-modules-sql
> Version: 2.1.22.dfsg1-8
> Severity: normal
> 
> 
> When specifying "sql_usessl: 1" in the sasl configuration file, any
> authentication will fail with this error messages in auth.log:
> 
>  sql plugin trying to open db 'XXXX' on host 'a.b.c.d' using SSL
>  sql plugin could not connect to host a.b.c.d
>  sql plugin couldn't connect to any host
> 
> The reason is a wrong usage of the mysql API in plugins/sql.c. This line
> sets the CLIENT_SSL flag in mysql_real_connect:
> 
>      return mysql_real_connect(mysql, host, user, password, database,
>                               port ? strtoul(port, NULL, 10) : 0, NULL,
>                               usessl ? CLIENT_SSL : 0);
> 
> According to http://dev.mysql.com/doc/refman/5.0/en/mysql-real-connect.html,
> mysql_ssl_set() should be used instead.
> 
> If I replace this line by:
> 
>     if (usessl)
>        mysql_ssl_set(mysql, NULL, NULL, "<hardcoded path to my CA>", NULL, NULL);
> 
>      return mysql_real_connect(mysql, host, user, password, database,
>                               port ? strtoul(port, NULL, 10) : 0, NULL,
>                               0);
> 
> Then SSL connections work OK for me.
> 
> So, the variable sql_usessl is completely unusable. It should probably
> replaced by
> 
> sql_ssl_key
> sql_ssl_cert
> sql_ssl_ca
> sql_ssl_capath
> sql_ssl_cipher
> 
> parameters.
> 
> Thanks,
> Jochen
> 

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20080919/4d17dfcf/attachment.bin 


More information about the Cyrus-sasl mailing list