diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 1b61e7dab..d13bcd1c3 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -1871,11 +1871,14 @@ larger than 0. ### `ssl_verify_peer_certificate` -Peer certificate verification. This functionality is enabled by default. +Peer certificate verification. This functionality is disabled by default. In +versions prior to 2.3.17 the feature was enabled by default. -When this feature is enabled, the certificate sent by the peer is verified -against the configured Certificate Authority. If you are using self-signed -certificates, set `ssl_verify_peer_certificate=false`. +When this feature is enabled, the peer must send a certificate. The certificate +sent by the peer is verified against the configured Certificate Authority to +make sure the peer is who they claim to be. For listeners, this behaves as if +`REQUIRE X509` was defined for all users. For servers, this behaves like the +`--ssl-verify-server-cert` command line option for the `mysql` client. #### Example SSL enabled server configuration diff --git a/server/core/config.cc b/server/core/config.cc index 080b469e0..67f5d4ece 100644 --- a/server/core/config.cc +++ b/server/core/config.cc @@ -342,7 +342,7 @@ const MXS_MODULE_PARAM config_listener_params[] = MXS_MODULE_OPT_ENUM_UNIQUE, ssl_version_values}, {CN_SSL_CERT_VERIFY_DEPTH, MXS_MODULE_PARAM_COUNT, "9"}, - {CN_SSL_VERIFY_PEER_CERTIFICATE, MXS_MODULE_PARAM_BOOL, "true"}, + {CN_SSL_VERIFY_PEER_CERTIFICATE, MXS_MODULE_PARAM_BOOL, "false"}, {NULL} }; @@ -421,7 +421,7 @@ const MXS_MODULE_PARAM config_server_params[] = MXS_MODULE_OPT_ENUM_UNIQUE, ssl_version_values}, {CN_SSL_CERT_VERIFY_DEPTH, MXS_MODULE_PARAM_COUNT, "9"}, - {CN_SSL_VERIFY_PEER_CERTIFICATE, MXS_MODULE_PARAM_BOOL, "true"}, + {CN_SSL_VERIFY_PEER_CERTIFICATE, MXS_MODULE_PARAM_BOOL, "false"}, {CN_DISK_SPACE_THRESHOLD, MXS_MODULE_PARAM_STRING}, {NULL} };