Good.  Okay, thank you.  So I was of course following the documentation.  I hope you can figure out how to fix that, I presume this is just a bug that the code is wrong, and the implementation should match the doc? 

 

As you suggested, specifying a group causes it to work.  That way I won’t have to hard-code a config file path, but I also would rather not have to hard-code a group.  “client” is safe for me now I think, but since the documentation suggests multiple groups that are relevant, it’s a small risk to code one that could later change.

 

Thank you for your help.

 

 

From: Sergei Golubchik <serg@mariadb.org>
Date: Thursday, July 25, 2024 at 11:10
To: Chris Ross (cross2) <cross2@cisco.com>
Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org>
Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL

Hi, Chris,

On Jul 25, Chris Ross (cross2) wrote:
> That’s possible, but given the call to
> mysql_optionsv(MYSQL_READ_DEFAULT_FILE) it should be.  Let me confirm
> that with strace…
>
> Huh.  Thank you.  You’re right.  It reads shared libs, nsswitch and
> misc other system data, and openssl.cnf.  Never opens my.cnf.
>
> The library is part of a mariadb 10.6.14 installation on the client,
> and the server seems to be 10.5.21.  I don’t know what version of
> “connector/C” is included with mariadb 10.6.14.  Do those map
> directly?

Yes, they do. 10.6.14 answers both questions.

You do

   mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);

but the code in the library looks like

  if (mysql->options.my_cnf_file || mysql->options.my_cnf_group)
  {

so, NULL means "don't use the file". Documentation says that "If the
argument is NULL, then only the default option files are read" which
clearly is not quite the case. I'm checking it out and we'll fix the
discrepancy.

Meanwhile, you can set MYSQL_READ_DEFAULT_GROUP to "client" or "my_app"
and I hope it'll read this group in all default files.

Regards,
Sergei
Chief Architect, MariaDB Server
and security@mariadb.org

> From: Sergei Golubchik <serg@mariadb.org>
> Date: Thursday, July 25, 2024 at 02:37
> To: Chris Ross (cross2) <cross2@cisco.com>
> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org>
> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL
> Hi, Chris,
>
> It seems that your concern is not "cannot connect with SSL", but "my
> application doesn't read the config file". You can verify the latter
> with strace or, easier, by adding some invalid option to the config
> file and see if there'll be a failure.
>
> Also, what is connector c version and the server version?
> 3.3 and 10.6?
>
> On Jul 24, Chris Ross (cross2) via discuss wrote:
> > Hey there.  I am trying to get a local application which uses the
> > mariadb client library to connect to a server with SSL.
> >
> > On my client system, I have added “ssl-ca” and
> > “ssl-verify-server-cert” to the [client] section of my my.cnf.  I
> > can see these in effect with both “mariadb --help” and with
> > “my_print_defaults client”.  And, using mariadb client itself with
> > all of the right connection parameters
> > (host/port/username/port/schema) it connects just fine.
> >
> > However, a program of mine which uses mysql_real_connect() fails,
> > reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”.
> > This is, I assume, because the user on the database side requires
> > ssl, and my client is not using ssl.
> >
> > I’ve added:
> >
> >    (void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
> >
> > Into my sources before calling mysql_real_connect().  I thought that
> > would make it pull the params from the config file, and all should
> > be good.  But, that’s clearly not enough.
> >
> > Can someone help me figure out what I’m missing?  Thank you.