From c0e04a4bd23ba213ab04fd41cce93f28bcc9b989 Mon Sep 17 00:00:00 2001
From: Daniel Hermann <daniel.hermann@1und1.de>
Date: Fri, 19 Jan 2018 11:23:09 +0100
Subject: [PATCH] Introduce SSL option 'verify_identity'

In order to allow clients to verify the server name against a server
certificate, this patch adds an option 'ssl_verify_identity' to
mysql.connector that calls ssl.match_hostname(...) internally.

The option is disabled by default, so the old behaviour is unchanged.
Client code must enable the option explicitly.
---
 lib/mysql/connector/connection.py | 1 +
 lib/mysql/connector/constants.py  | 1 +
 lib/mysql/connector/network.py    | 6 +++++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
index 3cd4b406..72a1aedf 100644
--- a/lib/mysql/connector/connection.py
+++ b/lib/mysql/connector/connection.py
@@ -147,6 +147,7 @@ def _do_auth(self, username=None, password=None, database=None,
                                        ssl_options.get('cert'),
                                        ssl_options.get('key'),
                                        ssl_options.get('verify_cert') or False,
+                                       ssl_options.get('verify_identity') or False,
                                        ssl_options.get('cipher'))
             self._ssl_active = True
 
diff --git a/lib/mysql/connector/constants.py b/lib/mysql/connector/constants.py
index fd9d1a3a..24ef5f7e 100644
--- a/lib/mysql/connector/constants.py
+++ b/lib/mysql/connector/constants.py
@@ -56,6 +56,7 @@
     'ssl_cert': None,
     'ssl_key': None,
     'ssl_verify_cert': False,
+    'ssl_verify_identity': False,
     'ssl_cipher': None,
     'ssl_disabled': False,
     'passwd': None,
diff --git a/lib/mysql/connector/network.py b/lib/mysql/connector/network.py
index 7c097b79..39dcdb62 100644
--- a/lib/mysql/connector/network.py
+++ b/lib/mysql/connector/network.py
@@ -403,7 +403,7 @@ def set_connection_timeout(self, timeout):
         self._connection_timeout = timeout
 
     # pylint: disable=C0103
-    def switch_to_ssl(self, ca, cert, key, verify_cert=False, cipher=None):
+    def switch_to_ssl(self, ca, cert, key, verify_cert=False, verify_identity=False, cipher=None):
         """Switch the socket to use SSL"""
         if not self.sock:
             raise errors.InterfaceError(errno=2048)
@@ -419,12 +419,16 @@ def switch_to_ssl(self, ca, cert, key, verify_cert=False, cipher=None):
                 cert_reqs=cert_reqs, do_handshake_on_connect=False,
                 ssl_version=ssl.PROTOCOL_TLSv1, ciphers=cipher)
             self.sock.do_handshake()
+            if verify_identity:
+                ssl.match_hostname(self.sock.getpeercert(), self.server_host)
         except NameError:
             raise errors.NotSupportedError(
                 "Python installation has no SSL support")
         except (ssl.SSLError, IOError) as err:
             raise errors.InterfaceError(
                 errno=2055, values=(self.get_address(), _strioerror(err)))
+        except ssl.CertificateError as err:
+            raise errors.InterfaceError(str(err))
         except NotImplementedError as err:
             raise errors.InterfaceError(str(err))