diff --git a/go/base/context.go b/go/base/context.go index 9f9de9b..e9991d8 100644 --- a/go/base/context.go +++ b/go/base/context.go @@ -94,16 +94,16 @@ type MigrationContext struct { AliyunRDS bool GoogleCloudPlatform bool - config ContextConfig - configMutex *sync.Mutex - ConfigFile string - CliUser string - CliPassword string - UseTLS bool - TLSInsecureSkipVerify bool - TLSCACertificate string - CliMasterUser string - CliMasterPassword string + config ContextConfig + configMutex *sync.Mutex + ConfigFile string + CliUser string + CliPassword string + UseTLS bool + TLSAllowInsecure bool + TLSCACertificate string + CliMasterUser string + CliMasterPassword string HeartbeatIntervalMilliseconds int64 defaultNumRetries int64 @@ -700,7 +700,7 @@ func (this *MigrationContext) ApplyCredentials() { func (this *MigrationContext) SetupTLS() error { if this.UseTLS { - return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate) + return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate, this.TLSAllowInsecure) } return nil } diff --git a/go/cmd/gh-ost/main.go b/go/cmd/gh-ost/main.go index 96bd2dc..b02d6b7 100644 --- a/go/cmd/gh-ost/main.go +++ b/go/cmd/gh-ost/main.go @@ -57,7 +57,7 @@ func main() { flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts") flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl") - flag.StringVar(&migrationContext.TLSInsecureSkipVerify, "ssl-insecure", false, "Do not verify that the TLS connection is secure. Requires --ssl") + flag.BoolVar(&migrationContext.TLSAllowInsecure, "ssl-allow-insecure", false, "Skips verification of MySQL hosts' certificate chain and host name. Requires --ssl") flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)") flag.StringVar(&migrationContext.OriginalTableName, "table", "", "table name (mandatory)") @@ -202,8 +202,8 @@ func main() { if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS { log.Fatalf("--ssl-ca requires --ssl") } - if migrationContext.TLSInsecureSkipVerify && !migrationContext.UseTLS { - log.Fatalf("--ssl-insecure requires --ssl") + if migrationContext.TLSAllowInsecure && !migrationContext.UseTLS { + log.Fatalf("--ssl-allow-insecure requires --ssl") } if *replicationLagQuery != "" { log.Warningf("--replication-lag-query is deprecated") diff --git a/go/mysql/connection.go b/go/mysql/connection.go index f0f73ce..d6c7215 100644 --- a/go/mysql/connection.go +++ b/go/mysql/connection.go @@ -57,11 +57,11 @@ func (this *ConnectionConfig) Equals(other *ConnectionConfig) bool { return this.Key.Equals(&other.Key) || this.ImpliedKey.Equals(other.ImpliedKey) } -func (this *ConnectionConfig) UseTLS(caCertificatePath string) error { +func (this *ConnectionConfig) UseTLS(caCertificatePath string, allowInsecure bool) error { var rootCertPool *x509.CertPool var err error - if !this.TLSInsecureSkipVerify { + if !allowInsecure { if caCertificatePath == "" { rootCertPool, err = x509.SystemCertPool() if err != nil { @@ -81,7 +81,7 @@ func (this *ConnectionConfig) UseTLS(caCertificatePath string) error { this.tlsConfig = &tls.Config{ RootCAs: rootCertPool, - InsecureSkipVerify: this.TLSInsecureSkipVerify, + InsecureSkipVerify: allowInsecure, } return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig)