Setup default CA path if not provided

dbussink · dbussink · commit d13616468774 · 2021-08-27T11:36:41.000+02:00
This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see mysql/mysql-server#358 & https://bugs.mysql.com/bug.php?id=104649.
diff --git a/lib/mysql2/client.rb b/lib/mysql2/client.rb
@@ -46,9 +46,14 @@ def initialize(opts = {})
       # force the encoding to utf8
       self.charset_name = opts[:encoding] || 'utf8'
 
+      mode = parse_ssl_mode(opts[:ssl_mode]) if opts[:ssl_mode]
+      if (mode == SSL_MODE_VERIFY_CA || mode == SSL_MODE_VERIFY_IDENTITY) && !opts[:sslca]
+        opts[:sslca] = find_default_ca_path
+      end
+
       ssl_options = opts.values_at(:sslkey, :sslcert, :sslca, :sslcapath, :sslcipher)
       ssl_set(*ssl_options) if ssl_options.any? || opts.key?(:sslverify)
-      self.ssl_mode = parse_ssl_mode(opts[:ssl_mode]) if opts[:ssl_mode]
+      self.ssl_mode = mode if mode
 
       flags = case opts[:flags]
       when Array
@@ -115,6 +120,18 @@ def parse_flags_array(flags, initial = 0)
       end
     end
 
+    # Find any default system CA paths to handle system roots
+    # by default if stricter validation is requested and no
+    # path is provide.
+    def find_default_ca_path
+      [
+        "/etc/ssl/certs/ca-certificates.crt",
+        "/etc/pki/tls/certs/ca-bundle.crt",
+        "/etc/ssl/ca-bundle.pem",
+        "/etc/ssl/cert.pem",
+      ].find { |f| File.exist?(f) }
+    end
+
     # Set default program_name in performance_schema.session_connect_attrs
     # and performance_schema.session_account_connect_attrs
     def parse_connect_attrs(conn_attrs)
