Set TLS options BEFORE calling mysql_ssl_set(). Probably helps fixing issue #1768

2025-08-26 03:01:07 +08:00 · 2024-05-18 17:40:34 +02:00
parent 6fac701ad6
commit a378e6ec94
3 changed files with 19 additions and 11 deletions
--- a/source/dbconnection.pas
+++ b/source/dbconnection.pas
@ -2379,6 +2379,13 @@ begin
    FinalPort := FParameters.Port;

    if FParameters.WantSSL then begin
+      // Define which TLS protocol versions are allowed BEFORE calling mysql_ssl_set().
+      // See https://www.heidisql.com/forum.php?t=27158
+      // See https://mariadb.com/kb/en/library/mysql_optionsv/
+      // See issue #1768
+      // See https://mariadb.com/kb/en/mysql_ssl_set/
+      SetOptionResult := FLib.mysql_options(FHandle, Integer(MARIADB_OPT_TLS_VERSION), PAnsiChar('TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'));
+      SetOptionResult := SetOptionResult + FLib.mysql_options(FHandle, Integer(MYSQL_OPT_TLS_VERSION), PAnsiChar('TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'));
      // mysql_ssl_set() wants nil, while PAnsiChar(AnsiString()) is never nil
      sslkey := nil;
      sslcert := nil;
@ -2393,13 +2400,17 @@ begin
      if FParameters.SSLCipher <> '' then
        sslcipher := PAnsiChar(AnsiString(FParameters.SSLCipher));
      { TODO : Use Cipher and CAPath parameters }
-      FLib.mysql_ssl_set(FHandle,
+      SetOptionResult := SetOptionResult + FLib.mysql_ssl_set(FHandle,
        sslkey,
        sslcert,
        sslca,
        nil,
        sslcipher);
-      Log(lcInfo, _('SSL parameters successfully set.'));
+      if SetOptionResult = 0 then
+        Log(lcInfo, _('SSL parameters successfully set.'))
+      else
+        Log(lcError, f_('SSL parameters not fully set. Result: %d', [SetOptionResult]));
+      SetOptionResult := 0;
    end;

    case FParameters.NetType of
@ -2451,12 +2462,6 @@ begin
      raise EDbError.Create(f_('Plugin directory %s could not be set.', [PluginDir]));
    end;

-    // Define which TLS protocol versions are allowed.
-    // See https://www.heidisql.com/forum.php?t=27158
-    // See https://mariadb.com/kb/en/library/mysql_optionsv/
-    FLib.mysql_options(FHandle, Integer(MARIADB_OPT_TLS_VERSION), PAnsiChar('TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'));
-    FLib.mysql_options(FHandle, Integer(MYSQL_OPT_TLS_VERSION), PAnsiChar('TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'));
-
    // Enable cleartext plugin
    if Parameters.CleartextPluginEnabled then
      FLib.mysql_options(FHandle, Integer(MYSQL_ENABLE_CLEARTEXT_PLUGIN), PAnsiChar('1'));
--- a/source/dbstructures.mysql.pas
+++ b/source/dbstructures.mysql.pas
@ -358,7 +358,7 @@ type
    mysql_ping: function(Handle: PMYSQL): Integer; stdcall;
    mysql_real_connect: function(Handle: PMYSQL; const Host, User, Passwd, Db: PAnsiChar; Port: Cardinal; const UnixSocket: PAnsiChar; ClientFlag: Cardinal): PMYSQL; stdcall;
    mysql_real_query: function(Handle: PMYSQL; const Query: PAnsiChar; Length: Cardinal): Integer; stdcall;
-    mysql_ssl_set: function(Handle: PMYSQL; const key, cert, CA, CApath, cipher: PAnsiChar): Byte; stdcall;
+    mysql_ssl_set: function(Handle: PMYSQL; const key, cert, CA, CApath, cipher: PAnsiChar): Integer; stdcall;
    mysql_stat: function(Handle: PMYSQL): PAnsiChar; stdcall;
    mysql_store_result: function(Handle: PMYSQL): PMYSQL_RES; stdcall;
    mysql_thread_id: function(Handle: PMYSQL): Cardinal; stdcall;