Merge pull request #648 from sodabrew/ssl_verify

sodabrew · sodabrew · commit e98a004c7795 · 2015-08-04T19:57:50.000-07:00
Add new option :sslverify
diff --git a/README.md b/README.md
@@ -186,7 +186,8 @@ Setting any of the following options will enable an SSL connection, but only if
 your MySQL client library and server have been compiled with SSL support.
 MySQL client library defaults will be used for any parameters that are left out
 or set to nil. Relative paths are allowed, and may be required by managed
-hosting providers such as Heroku.
+hosting providers such as Heroku. Set `:sslverify => true` to require that the
+server presents a valid certificate.
 
 ``` ruby
 Mysql2::Client.new(
@@ -195,7 +196,8 @@ Mysql2::Client.new(
   :sslcert => '/path/to/client-cert.pem',
   :sslca => '/path/to/ca-cert.pem',
   :sslcapath => '/path/to/cacerts',
-  :sslcipher => 'DHE-RSA-AES256-SHA'
+  :sslcipher => 'DHE-RSA-AES256-SHA',
+  :sslverify => true,
   )
 ```
 
diff --git a/lib/mysql2/client.rb b/lib/mysql2/client.rb
@@ -44,6 +44,12 @@ def initialize(opts = {})
       ssl_options = opts.values_at(:sslkey, :sslcert, :sslca, :sslcapath, :sslcipher)
       ssl_set(*ssl_options) if ssl_options.any?
 
+      # SSL verify is a connection flag rather than a mysql_ssl_set option
+      flags = 0
+      flags |= @query_options[:connect_flags]
+      flags |= opts[:flags] if opts[:flags]
+      flags |= SSL_VERIFY_SERVER_CERT if opts[:sslverify] and ssl_options.any?
+
       if [:user,:pass,:hostname,:dbname,:db,:sock].any?{|k| @query_options.has_key?(k) }
         warn "============= WARNING FROM mysql2 ============="
         warn "The options :user, :pass, :hostname, :dbname, :db, and :sock will be deprecated at some point in the future."
@@ -57,7 +63,6 @@ def initialize(opts = {})
       port     = opts[:port]
       database = opts[:database] || opts[:dbname] || opts[:db]
       socket   = opts[:socket] || opts[:sock]
-      flags    = opts[:flags] ? opts[:flags] | @query_options[:connect_flags] : @query_options[:connect_flags]
 
       # Correct the data types before passing these values down to the C level
       user = user.to_s unless user.nil?
