Add verify_server_cert support to MySQL source.

[ZxMYS]

This pr continues #20 and adds an option to set MYSQL_OPT_SSL_VERIFY_SERVER_CERT.

I did some test with my database and it works; Without openssl 1.0.2 it won't work in some cases due to https://jira.mariadb.org/browse/MDEV-10594 (and its corresponding https://jira.mariadb.org/browse/CONC-250), but this option should still be useful to many.

The docker image this repo currently uses (manylinux2010) seems to have openssl 1.0.1e - any chance we can get openssl 1.0.2 there?

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[ZxMYS]

@googlebot I signed it!

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[ZxMYS]

@googlebot I fixed it.

[googlebot]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

[ZxMYS]

@googlebot I consent.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[hughmiao]

thanks @ZxMYS ! Some nit comments before merging.

[ZxMYS]

thanks, updated!

[hughmiao]

thanks!

[hughmiao]

thanks for the contribution, @ZxMYS . some follow-up questions

I did some test with my database and it works; Without openssl 1.0.2 it won't work in some cases due to https://jira.mariadb.org/browse/MDEV-10594 (and its corresponding https://jira.mariadb.org/browse/CONC-250), but this option should still be useful to many.

Just to confirm, the change works for you even without upgrading to openssl 1.0.2 in the manylinux2010 image, right?

The docker image this repo currently uses (manylinux2010) seems to have openssl 1.0.1e - any chance we can get openssl 1.0.2 there?

If 1.0.2 or 1.1.1 (stable) version is required, consider to edit the script run in the image. The image is shared by many projects. The upgrade may need to be done in the script by built from openssl source.

[root@805e0b034f46 /]# yum info openssl
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirrors.sonic.net
 * centos-sclo-rh: mirror.keystealth.org
 * centos-sclo-sclo: mirror.keystealth.org
 * epel: mirrors.sonic.net
 * extras: mirrors.sonic.net
 * updates: mirror.sfo12.us.leaseweb.net
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 57.el6
Size        : 4.1 M
Repo        : installed
From repo   : CentOS
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

Available Packages
Name        : openssl
Arch        : i686
Version     : 1.0.1e
Release     : 58.el6_10
Size        : 1.5 M
Repo        : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 58.el6_10
Size        : 1.5 M
Repo        : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

[ZxMYS]

@hughmiao Yes it works without openssl 1.0.2 when I tested with my toy db, where the server cert doesn't rely on SAN. Our prod environment does require SAN tho, so I will need a wheel compiled with a newer openssl.

[hughmiao]

thanks, @ZxMYS . The docker is based on the pypa standard CentOS image with bazel 0.24.1 installed. and each project has its own script to setup the image. You can edit the setup_environment to change its environment by installing packages, so the bazel_build after that line will have the new environment. After the edit, just follow the guide to build the wheel. If the stable openssl version works for your production environment, please feel free to send a PR so other users will benefit from it.

Another thought is to use the grpc server, which can be built and ran in your own environment, the python wheel without change can talk to the local server which then talk to mysql with secure connection.