CA verification not respected when `ssl_mode` flag is passed

brianmario / mysql2

A modern, simple and very fast Mysql library for Ruby - binding to libmysql

http://github.com/brianmario/mysql2

MIT License

2.25k stars 550 forks source link

CA verification not respected when `ssl_mode` flag is passed #936

Open pivotal-jamil-shamy opened 6 years ago

pivotal-jamil-shamy commented 6 years ago

Prerequisites:

MYSQL2 GEM is linked against MariaDB Connector/C 3.0.2

Issue:

When trying to establish a connection as below, even when giving an incorrect CA that did not sign the server certificate, a connection is established successfully:

:ssl_mode => "verify_ca",  :sslca => "path-to-incorrect-ca"

Any reason why this could be happening ?

bwinter commented 6 years ago

The MariaDB Connector doesn't support :ssl_mode / partial validation; so, the CA is just ignored without the :verifyssl flag.

sodabrew commented 5 years ago

There's a warning for MySQL < 5.7.11 that :ssl_mode is only partially supported. Should there be an equivalent warning for certain versions of MariaDB? All versions of MariaDB?

Answering my own question by linking to https://github.com/brianmario/mysql2/issues/879#issuecomment-437951093