Good. Okay, thank you. So I was of course following the documentation. I hope you can figure out how to fix that, I presume this is just a bug that the code is wrong, and the implementation should match the doc? As you suggested, specifying a group causes it to work. That way I won’t have to hard-code a config file path, but I also would rather not have to hard-code a group. “client” is safe for me now I think, but since the documentation suggests multiple groups that are relevant, it’s a small risk to code one that could later change. Thank you for your help. * Chris From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 11:10 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris, On Jul 25, Chris Ross (cross2) wrote:
That’s possible, but given the call to mysql_optionsv(MYSQL_READ_DEFAULT_FILE) it should be. Let me confirm that with strace…
Huh. Thank you. You’re right. It reads shared libs, nsswitch and misc other system data, and openssl.cnf. Never opens my.cnf.
The library is part of a mariadb 10.6.14 installation on the client, and the server seems to be 10.5.21. I don’t know what version of “connector/C” is included with mariadb 10.6.14. Do those map directly?
Yes, they do. 10.6.14 answers both questions. You do mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL); but the code in the library looks like if (mysql->options.my_cnf_file || mysql->options.my_cnf_group) { so, NULL means "don't use the file". Documentation says that "If the argument is NULL, then only the default option files are read" which clearly is not quite the case. I'm checking it out and we'll fix the discrepancy. Meanwhile, you can set MYSQL_READ_DEFAULT_GROUP to "client" or "my_app" and I hope it'll read this group in all default files. Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 02:37 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris,
It seems that your concern is not "cannot connect with SSL", but "my application doesn't read the config file". You can verify the latter with strace or, easier, by adding some invalid option to the config file and see if there'll be a failure.
Also, what is connector c version and the server version? 3.3 and 10.6?
On Jul 24, Chris Ross (cross2) via discuss wrote:
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL.
On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine.
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
I’ve added:
(void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough.
Can someone help me figure out what I’m missing? Thank you.