[ Please be sure to keep the Debian bug address in the CC ] The below report was submitted as a bug against the Debian package of cyrus-sasl2. I am not versed in MySQL at all, so I wonder if someone else could have a look at it and provide an opinion on it or perhaps a fix. Regards, -Roberto On Thu, Sep 18, 2008 at 06:55:03PM +0200, Jochen Friedrich wrote: > Package: libsasl2-modules-sql > Version: 2.1.22.dfsg1-8 > Severity: normal > > > When specifying "sql_usessl: 1" in the sasl configuration file, any > authentication will fail with this error messages in auth.log: > > sql plugin trying to open db 'XXXX' on host 'a.b.c.d' using SSL > sql plugin could not connect to host a.b.c.d > sql plugin couldn't connect to any host > > The reason is a wrong usage of the mysql API in plugins/sql.c. This line > sets the CLIENT_SSL flag in mysql_real_connect: > > return mysql_real_connect(mysql, host, user, password, database, > port ? strtoul(port, NULL, 10) : 0, NULL, > usessl ? CLIENT_SSL : 0); > > According to http://dev.mysql.com/doc/refman/5.0/en/mysql-real-connect.html, > mysql_ssl_set() should be used instead. > > If I replace this line by: > > if (usessl) > mysql_ssl_set(mysql, NULL, NULL, "<hardcoded path to my CA>", NULL, NULL); > > return mysql_real_connect(mysql, host, user, password, database, > port ? strtoul(port, NULL, 10) : 0, NULL, > 0); > > Then SSL connections work OK for me. > > So, the variable sql_usessl is completely unusable. It should probably > replaced by > > sql_ssl_key > sql_ssl_cert > sql_ssl_ca > sql_ssl_capath > sql_ssl_cipher > > parameters. > > Thanks, > Jochen > -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature
