Add support for MYSQL_OPT_SSL_VERIFY_SERVER_CERT

[jfritcher]

Add option to allow Python code to enable verification of the server's
hostname against the name in its certificate.

For those who want to do hostname validation against their database, this is the only usable method for doing so.

I originally found a request to add this functionality on SourceForge, but it appears to have been ignored before the move to GitHub, so I cleaned up the original patch and am resubmitting it here as a PR.

[dermoth]

+1

That said, I was testing this up using a preload library and still, regardless of what I specify for the trusted CA path, it succeeds... I'm not sure if the library still reads the system CA path (but I have to specify it anyway to get SSL to work) or just don't verify anything. I have no key or cert on the client, just the trusted roots (and FWIW this works only with the MariaDB client libs, which I have to preload as my Python libs are still compiled against an older MySQL version - MySSQL 5.5 vs MariaDB 10.0...)

[dermoth]

Meh! I could've just tested using a different server name. Indeed using LD_PRELOAD makes the check effective, so although needed to enable ssl capath is not particularly useful (except maybe to add more certs to the trusted set?).

In the mean time I cleaned my code; you can use this to get your client to verify certificates:

/*
 * Preload lib to set MYSQL_OPT_SSL_VERIFY_SERVER_CERT in mysqlclient
 *
 * Usage:
 *
 * Just preload as such, ex assuming the client binary is "someunsecuresslclient":
 *
 *   $ LD_PRELOAD="/path/to/sslverify.so" someunsecuresslclient
 * 
 * Author: Thomas Guyot-Sionnest <tguyot@gmail.com>
 *
 * Copyright: I hereby place this code into the public domain.
 *
 * Compile with something like this (replace "-lmysqlclient -I/usr/include/mysql" with
 * "-lmariadb -I/usr/include/mariadb" to use MariaDB client libs):
 *
 *   $ gcc -Wall -fPIC -shared -ldl -lmysqlclient -I/usr/include/mysql -o sslverify.so sslverify.c
 *   $ strip sslverify.so
 *
 */

#include <stdio.h>
#include <stdlib.h>

#include <mysql.h>
#include <my_config.h>

/* MariaDB uses a different return type, hack around it */
#ifdef LIBMARIADB
#define my_bool int
#endif

/* mysql may define these already; undef and redefine them to avoid warnings */
#undef _GNU_SOURCE
#undef __USE_GNU
#define _GNU_SOURCE
#define __USE_GNU
#include <dlfcn.h>

my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, const char *capath, const char *cipher) {
	int trueval = 1;

	/* Get a pointer to the original function */
	my_bool (*_mysql_ssl_set)(MYSQL *, const char *, const char *, const char *, const char *, const char *);
	_mysql_ssl_set = dlsym(RTLD_NEXT, "mysql_ssl_set");

	mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &trueval);
	return (*_mysql_ssl_set)(mysql, key, cert, ca, capath, cipher);
}