@@ -46,9 +46,14 @@ def initialize(opts = {})
4646 # force the encoding to utf8
4747 self . charset_name = opts [ :encoding ] || 'utf8'
4848
49+ mode = parse_ssl_mode ( opts [ :ssl_mode ] ) if opts [ :ssl_mode ]
50+ if ( mode == SSL_MODE_VERIFY_CA || mode == SSL_MODE_VERIFY_IDENTITY ) && !opts [ :sslca ]
51+ opts [ :sslca ] = find_default_ca_path
52+ end
53+
4954 ssl_options = opts . values_at ( :sslkey , :sslcert , :sslca , :sslcapath , :sslcipher )
5055 ssl_set ( *ssl_options ) if ssl_options . any? || opts . key? ( :sslverify )
51- self . ssl_mode = parse_ssl_mode ( opts [ :ssl_mode ] ) if opts [ :ssl_mode ]
56+ self . ssl_mode = mode if mode
5257
5358 flags = case opts [ :flags ]
5459 when Array
@@ -115,6 +120,18 @@ def parse_flags_array(flags, initial = 0)
115120 end
116121 end
117122
123+ # Find any default system CA paths to handle system roots
124+ # by default if stricter validation is requested and no
125+ # path is provide.
126+ def find_default_ca_path
127+ [
128+ "/etc/ssl/certs/ca-certificates.crt" ,
129+ "/etc/pki/tls/certs/ca-bundle.crt" ,
130+ "/etc/ssl/ca-bundle.pem" ,
131+ "/etc/ssl/cert.pem" ,
132+ ] . find { |f | File . exist? ( f ) }
133+ end
134+
118135 # Set default program_name in performance_schema.session_connect_attrs
119136 # and performance_schema.session_account_connect_attrs
120137 def parse_connect_attrs ( conn_attrs )
0 commit comments