Merge pull request #8328 from mind04/pdns-mysql-ssl

auth: gmysql backend, add an option to send the SSL capability flag t…
PowerDNS · Sep 24, 2019 · c604f94 · c604f94
2 parents e3c2649 + 596d4cd
commit c604f94
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 5 deletions.
diff --git a/docs/backends/generic-mysql.rst b/docs/backends/generic-mysql.rst
@@ -124,6 +124,14 @@ Enable DNSSEC processing for this backend. Default: no.
 
 Use the InnoDB READ-COMMITTED transaction isolation level. Default: yes.
 
+.. _setting-gmysql-ssl:
+
+``gmysql-ssl``
+^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.2.1
+
+Send the CLIENT_SSL capabily flag to the server. SSL suppport is announced by the server via CLIENT_SSL and is enabled if the client returns the same capability. Default: no.
+
 .. _setting-gmysql-timeout:
 
 ``gmysql-timeout``

diff --git a/modules/gmysqlbackend/gmysqlbackend.cc b/modules/gmysqlbackend/gmysqlbackend.cc
@@ -60,7 +60,8 @@ void gMySQLBackend::reconnect()
                    getArg("group"),
                    mustDo("innodb-read-committed"),
                    getArgAsNum("timeout"),
-                   mustDo("thread-cleanup")));
+                   mustDo("thread-cleanup"),
+                   mustDo("ssl")));
 }
 
 class gMySQLFactory : public BackendFactory
@@ -80,6 +81,7 @@ class gMySQLFactory : public BackendFactory
     declare(suffix,"innodb-read-committed","Use InnoDB READ-COMMITTED transaction isolation level","yes");
     declare(suffix,"timeout", "The timeout in seconds for each attempt to read/write to the server", "10");
     declare(suffix,"thread-cleanup","Explicitly call mysql_thread_end() when threads end","no");
+    declare(suffix,"ssl","Send the SSL capability flag to the server","no");
 
     declare(suffix,"dnssec","Enable DNSSEC processing","no");
 

diff --git a/modules/gmysqlbackend/smysql.cc b/modules/gmysqlbackend/smysql.cc
@@ -481,7 +481,7 @@ void SMySQL::connect()
                             d_database.empty() ? NULL : d_database.c_str(),
                             d_port,
                             d_msocket.empty() ? NULL : d_msocket.c_str(),
-                            CLIENT_MULTI_RESULTS)) {
+                            (d_clientSSL ? CLIENT_SSL : 0) | CLIENT_MULTI_RESULTS)) {
 
       if (retry == 0)
         throw sPerrorException("Unable to connect to database");
@@ -497,8 +497,8 @@ void SMySQL::connect()
 }
 
 SMySQL::SMySQL(const string &database, const string &host, uint16_t port, const string &msocket, const string &user,
-               const string &password, const string &group, bool setIsolation, unsigned int timeout, bool threadCleanup):
-  d_database(database), d_host(host), d_msocket(msocket), d_user(user), d_password(password), d_group(group), d_timeout(timeout), d_port(port), d_setIsolation(setIsolation), d_threadCleanup(threadCleanup)
+               const string &password, const string &group, bool setIsolation, unsigned int timeout, bool threadCleanup, bool clientSSL):
+  d_database(database), d_host(host), d_msocket(msocket), d_user(user), d_password(password), d_group(group), d_timeout(timeout), d_port(port), d_setIsolation(setIsolation), d_threadCleanup(threadCleanup), d_clientSSL(clientSSL)
 {
   connect();
 }

diff --git a/modules/gmysqlbackend/smysql.hh b/modules/gmysqlbackend/smysql.hh
@@ -33,7 +33,7 @@ public:
          const string &msocket="",const string &user="",
          const string &password="", const string &group="",
          bool setIsolation=false, unsigned int timeout=10,
-         bool threadCleanup=false);
+         bool threadCleanup=false, bool clientSSL=false);
 
   ~SMySQL();
 
@@ -63,6 +63,7 @@ private:
   uint16_t d_port;
   bool d_setIsolation;
   bool d_threadCleanup;
+  bool d_clientSSL;
 };
 
 #endif /* SSMYSQL_HH */