Bug#646841: marked as done (mysql-client-5.1: linking against OpenSSL (instead of yaSSL))

Debian Bug Tracking System Thu, 05 Jul 2012 08:59:09 -0700

Your message dated Thu, 05 Jul 2012 15:53:12 +0000
with message-id <[email protected]>
and subject line Bug#680362: Removed package(s) from unstable
has caused the Debian Bug report #646841,
regarding mysql-client-5.1: linking against OpenSSL (instead of yaSSL)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
646841: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646841
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: mysql-client-5.1
Version: 5.1.57-1.3
Severity: wishlist
Tags: patch

        Having recently configured MySQL 5.1 for the first time to
properly support SSL certificates under RHEL 6, I found out that the
Debian version of the MySQL 5.1 library does not correctly connect to
such servers because MySQL 5.1 itself doesn't correctly support chained
SSL certificates, which are commonly used pretty much everywhere.

        Fixing this in Debian seems like an important thing to do since
a lot of the RPM based distributions will be adopting this because of
the Red Hat change.  And more importantly, it just seems like the right
thing to do, implementing proper SSL functionality.  This does mean that
the MySQL 5.1 packages would need to be linked against OpenSSL
explicitly though, which may have been changed in the past for some
reason I'm not finding elsewhere.  Maybe it's an architecture issue.

        Even so, I think it should be fixed where it can be, even if it
means linking against OpenSSL.  I'm not sure where the Debian MySQL
packages fall concerning the OpenSSL licensing exception.  Looking at:
---
http://www.mysql.com/about/legal/licensing/foss-exception/

it seems that OpenSSL is explicitly allowed when linking the MySQL
libraries, so it seems like this should be acceptable from a legal point
of view but, I am not a lawyer.

        Anyway, I'm attaching the patch I've been using from the Red Hat
source RPM.  The Red Hat bug is:
---
https://bugzilla.redhat.com/show_bug.cgi?id=598656

and the MySQL bug is:
---
http://bugs.mysql.com/bug.php?id=54158

The patch not only adds the chained certificate support when linking
against OpenSSL, but also fixes yassl to not break in the presence of
this fix.

All I've had to change to get this to work after patching is to change
"--with--ssl" to "--with-ssl=/usr/lib" in debian/rules and then rebuild
the package.  I've also been commenting out the test suite in the same
file, even though it should pass with this patch.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mysql-client-5.1 depends on:
ii  debianutils             4.0.1            Miscellaneous utilities specific t
ii  libc6                   2.13-4           Embedded GNU C Library: Shared lib
ii  libdbd-mysql-perl       4.018-1+b1       Perl5 database interface to the My
ii  libdbi-perl             1.616-1+b1       Perl Database Interface (DBI)
ii  libgcc1                 1:4.6.0-10       GCC support library
ii  libmysqlclient16        5.1.57-1.3       MySQL database client library
ii  libncurses5             5.9-1            shared libraries for terminal hand
ii  libreadline6            6.2-2            GNU readline and history libraries
ii  libstdc++6              4.6.0-10         The GNU Standard C++ Library v3
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  mysql-common            5.1.57-1.3       MySQL database common files, e.g. 
ii  perl                    5.12.3-7+b1      Larry Wall's Practical Extraction 
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

mysql-client-5.1 recommends no packages.

Versions of packages mysql-client-5.1 suggests:
ii  libterm-readkey-perl          2.30-4+b1  A perl module for simple terminal 

-- no debconf information

Fix things so that chains of certificates work in the server and client
certificate files.

This only really works for OpenSSL-based builds, as yassl is unable to read
multiple certificates from a file.  The patch below to yassl/src/ssl.cpp
doesn't fix that, but just arranges that the viosslfactories.c patch won't
have any ill effects in a yassl build.  Since we don't use yassl in Red Hat/
Fedora builds, I'm not feeling motivated to try to fix yassl for this.

See RH bug #598656.  Filed upstream at http://bugs.mysql.com/bug.php?id=54158


diff -Naur mysql-5.1.47.orig/vio/viosslfactories.c 
mysql-5.1.47/vio/viosslfactories.c
--- mysql-5.1.47.orig/vio/viosslfactories.c     2010-05-06 11:28:07.000000000 
-0400
+++ mysql-5.1.47/vio/viosslfactories.c  2010-05-26 23:23:46.000000000 -0400
@@ -100,7 +100,7 @@
                       (long) ctx, cert_file, key_file));
   if (cert_file)
   {
-    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+    if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
     {
       *error= SSL_INITERR_CERT;
       DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), 
cert_file));
diff -Naur mysql-5.1.47.orig/extra/yassl/src/ssl.cpp 
mysql-5.1.47/extra/yassl/src/ssl.cpp
--- mysql-5.1.47.orig/extra/yassl/src/ssl.cpp   2010-05-06 11:24:26.000000000 
-0400
+++ mysql-5.1.47/extra/yassl/src/ssl.cpp        2010-05-26 23:29:13.000000000 
-0400
@@ -1606,10 +1606,10 @@
     }
 
 
-    int SSL_CTX_use_certificate_chain_file(SSL_CTX*, const char*)
+    int SSL_CTX_use_certificate_chain_file(SSL_CTX* ctx, const char* file)
     {
-        // TDOD:
-        return SSL_SUCCESS;
+        // For the moment, treat like use_certificate_file
+        return read_file(ctx, file, SSL_FILETYPE_PEM, Cert);
     }

--- End Message ---

--- Begin Message ---

Version: 5.1.62-1+rm

Dear submitter,

as the package mysql-5.1 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/680362

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)

--- End Message ---

Bug#646841: marked as done (mysql-client-5.1: linking against OpenSSL (instead of yaSSL))

Reply via email to