From bee1386bfaf50e8df30050a19b646ba3c33e689f Mon Sep 17 00:00:00 2001 From: Michael Gmelin Date: Wed, 24 Jan 2018 01:03:03 +0000 Subject: Fix databases/mariadb* hostname verification when building against LibreSSL LibreSSL imported X509_check_host from BoringSSL. Unlike OpenSSL, it doesn't calculate the length of the hostname passed in case chklen/namelen == 0. This means that the check in MariaDB always fails if built against LibreSSL. This forces adminstrators to disable hostname verification, which weakens security (hence the MFH request below). Note that the fix has no negative implications if built against OpenSSL, as its implementation calls strlen(hostname) in case namelen == 0. See also https://github.com/MariaDB/server/pull/562 Approved by: ssl blanket MFH: 2018Q1 --- databases/mariadb101-client/files/patch-sql-common_client.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 databases/mariadb101-client/files/patch-sql-common_client.c (limited to 'databases/mariadb101-client') diff --git a/databases/mariadb101-client/files/patch-sql-common_client.c b/databases/mariadb101-client/files/patch-sql-common_client.c new file mode 100644 index 000000000000..85e857c65dc8 --- /dev/null +++ b/databases/mariadb101-client/files/patch-sql-common_client.c @@ -0,0 +1,12 @@ +--- sql-common/client.c.orig 2018-01-24 00:36:45.520273000 +0100 ++++ sql-common/client.c 2018-01-24 00:37:57.536367000 +0100 +@@ -1821,7 +1821,8 @@ + */ + + #ifdef HAVE_X509_check_host +- ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; ++ ret_validation= X509_check_host(server_cert, server_hostname, ++ strlen(server_hostname), 0, 0) != 1; + #else + subject= X509_get_subject_name(server_cert); + cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); -- cgit v1.2.3