diff options
author | Michael Gmelin <grembo@FreeBSD.org> | 2018-01-24 01:03:03 +0000 |
---|---|---|
committer | Michael Gmelin <grembo@FreeBSD.org> | 2018-01-24 01:03:03 +0000 |
commit | bee1386bfaf50e8df30050a19b646ba3c33e689f (patch) | |
tree | 0f02297b493a9c0ff49c70420c02752e3522989b /databases/mariadb101-client | |
parent | This apparently links libunwind directly. (diff) |
Fix databases/mariadb* hostname verification when building against LibreSSL
LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL,
it doesn't calculate the length of the hostname passed in case
chklen/namelen == 0. This means that the check in MariaDB always
fails if built against LibreSSL. This forces adminstrators to disable
hostname verification, which weakens security (hence the MFH request below).
Note that the fix has no negative implications if built against OpenSSL,
as its implementation calls strlen(hostname) in case namelen == 0.
See also https://github.com/MariaDB/server/pull/562
Approved by: ssl blanket
MFH: 2018Q1
Notes
Notes:
svn path=/head/; revision=459808
Diffstat (limited to 'databases/mariadb101-client')
-rw-r--r-- | databases/mariadb101-client/files/patch-sql-common_client.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/databases/mariadb101-client/files/patch-sql-common_client.c b/databases/mariadb101-client/files/patch-sql-common_client.c new file mode 100644 index 000000000000..85e857c65dc8 --- /dev/null +++ b/databases/mariadb101-client/files/patch-sql-common_client.c @@ -0,0 +1,12 @@ +--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100 ++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100 +@@ -1821,7 +1821,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); |