MySQL Forums
Forum List  »  Security

Re: MySql TLS Multi-CA Heirarchy Support Question
Posted by: Georgi Kodinov
Date: February 20, 2017 08:21AM

It will do what the underlying SSL library does. The client does do SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path).

And then, if there's CRL support and a CRL location or file:

X509_STORE_load_locations(store, crl_file, crl_path);
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);

The way I read the openssl docs for these functions I'd guess the answer to your question is yes, the certificates in the chain are verified for validity too (expiration, valid signatures and revocation if supported).

Otherwise good point on the singular-vs-plural.

Options: ReplyQuote

Written By
Re: MySql TLS Multi-CA Heirarchy Support Question
February 20, 2017 08:21AM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.