LLoad
diff --git a/‎cdk/core/session.cc
Lines changed: 0 additions & 5 deletions b/‎cdk/core/session.cc
Lines changed: 0 additions & 5 deletions
diff --git a/‎cdk/foundation/connection_openssl.cc
Lines changed: 14 additions & 0 deletions b/‎cdk/foundation/connection_openssl.cc
Lines changed: 14 additions & 0 deletions
diff --git a/‎cdk/include/mysql/cdk/foundation/connection_openssl.h
Lines changed: 7 additions & 0 deletions b/‎cdk/include/mysql/cdk/foundation/connection_openssl.h
Lines changed: 7 additions & 0 deletions
diff --git a/‎common/session.cc
Lines changed: 9 additions & 10 deletions b/‎common/session.cc
Lines changed: 9 additions & 10 deletions
diff --git a/‎common/settings.h
Lines changed: 0 additions & 35 deletions b/‎common/settings.h
Lines changed: 0 additions & 35 deletions
@@ -307,11 +307,6 @@ Session_builder::tls_connect(Socket_base *connection, const TLS::Options &option
 
   unique_ptr<Socket_base> conn_ptr(connection);
 
-  if (!options.get_ca().empty() &&
-      options.ssl_mode() < TLS::Options::SSL_MODE::VERIFY_CA)
-    throw Error(cdkerrc::generic_error,
-                "ssl-ca set and ssl-mode different than VERIFY_CA or VERIFY_IDENTITY");
-
   if (options.ssl_mode() >= TLS::Options::SSL_MODE::VERIFY_CA &&
       options.get_ca().empty())
     throw Error(cdkerrc::generic_error,
 
@@ -609,6 +609,20 @@ void connection_TLS_impl::do_connect()
             m_options.get_ca_path().empty()
             ? NULL : m_options.get_ca_path().c_str()) == 0)
         throw_openssl_error();
+
+      if (!m_options.get_crl().empty() || !m_options.get_crl_path().empty())
+      {
+        X509_STORE *store = SSL_CTX_get_cert_store(m_tls_ctx);
+        /* Load crls from the trusted ca */
+        if (X509_STORE_load_locations(
+              store,
+              m_options.get_crl().c_str(),
+              m_options.get_crl_path().c_str()) == 0 ||
+            X509_STORE_set_flags(
+              store,
+              X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL) == 0)
+          throw_openssl_error();
+      }
     }
     else
     {
 
@@ -146,8 +146,13 @@ class TLS::Options
   void set_ca(const string &ca) { m_ca = ca; }
   void set_ca_path(const string &ca_path) { m_ca_path = ca_path; }
 
+  void set_crl(const string &crl) { m_crl = crl; }
+  void set_crl_path(const string &crl_path) { m_crl_path = crl_path; }
+
   const std::string &get_ca() const { return m_ca; }
   const std::string &get_ca_path() const { return m_ca_path; }
+  const std::string &get_crl() const { return m_crl; }
+  const std::string &get_crl_path() const { return m_crl_path; }
   const std::string &get_host_name() const { return m_host_name; }
 
   void set_host_name(const std::string &host_name)
@@ -181,6 +186,8 @@ class TLS::Options
   std::string m_key;
   std::string m_ca;
   std::string m_ca_path;
+  std::string m_crl;
+  std::string m_crl_path;
   std::string m_host_name;
   TLS_versions_list m_tls_versions;
   TLS_ciphersuites_list m_tls_ciphersuites;
 
@@ -323,8 +323,7 @@ void prepare_options(
   // Set TLS options
 
   /*
-    By default ssl-mode is REQUIRED. If ssl-mode was not explicitly set but
-    ssl-ca was, then mode defaults to VERIFY_CA.
+    By default ssl-mode is REQUIRED.
   */
 
   unsigned mode = unsigned(SSL_mode::REQUIRED);
@@ -335,25 +334,18 @@ void prepare_options(
     mode_set = true;
     mode = (unsigned)settings.get(Option::SSL_MODE).get_uint();
   }
-  else if (settings.has_option(Option::SSL_CA))
-  {
-    mode_set = true;
-    mode = unsigned(SSL_mode::VERIFY_CA);
-  }
 
   if (socket && mode_set && mode >= unsigned(SSL_mode::REQUIRED))
   {
     throw_error("SSL connection over Unix domain socket requested.");
   }
 
+#ifdef WITH_SSL
   if (unsigned(SSL_mode::DISABLED) == mode)
   {
-#ifdef WITH_SSL
     opts.set_tls(TLS_options::SSL_MODE::DISABLED);
-#endif
   }
   else
-#ifdef WITH_SSL
   {
     socket = true;  // so that PLAIN auth method is used below
 
@@ -398,6 +390,13 @@ void prepare_options(
 
     if (settings.has_option(Option::SSL_CA))
       tls_opt.set_ca(settings.get(Option::SSL_CA).get_string());
+    if(settings.has_option(Option::SSL_CAPATH))
+      tls_opt.set_ca_path(settings.get(Option::SSL_CAPATH).get_string());
+    if (settings.has_option(Option::SSL_CRL))
+      tls_opt.set_crl(settings.get(Option::SSL_CRL).get_string());
+    if(settings.has_option(Option::SSL_CRLPATH))
+      tls_opt.set_crl_path(settings.get(Option::SSL_CRLPATH).get_string());
+
     opts.set_tls(tls_opt);
   }
 #endif
 
@@ -768,17 +768,6 @@ Settings_impl::Setter::set_option<Settings_impl::Session_option_impl::SSL_MODE>(
     throw_error("secure connection requested but SSL is not supported")
 #endif
 
-  switch (m_data.m_ssl_mode)
-  {
-  case SSL_mode::VERIFY_CA:
-  case SSL_mode::VERIFY_IDENTITY:
-    break;
-
-  default:
-    if (m_data.m_ssl_ca)
-      throw_error("SSL_MODE ... not valid when SSL_CA is set");
-  }
-
   add_option(Session_option_impl::SSL_MODE, val);
 }
 
@@ -793,17 +782,6 @@ Settings_impl::Setter::set_option<Settings_impl::Session_option_impl::SSL_CA>(
   throw_error("SSL_CA option specified but SSL is not supported")
 #endif
 
-  switch (m_data.m_ssl_mode)
-  {
-  case SSL_mode::VERIFY_CA:
-  case SSL_mode::VERIFY_IDENTITY:
-  case SSL_mode::LAST:
-    break;
-
-  default:
-    throw_error("SSL_CA option is not compatible with SSL_MODE ...");
-  }
-
   m_data.m_ssl_ca = true;
   add_option(Session_option_impl::SSL_CA, val);
 }
@@ -1127,19 +1105,6 @@ void Settings_impl::Setter::add_option(int opt, const T &val)
       m_opt_set.insert(opt);  // needed for double check when m_multi is false
       return;
     }
-    // if multi mode not enabled, fall-through to check for doubled option
-
-  default:
-    // Check for doubled option
-    if (0 < m_opt_set.count(opt))
-    {
-      std::string msg = "Option ";
-      msg += option_name(opt);
-      msg += " defined twice";
-      throw_error(msg.c_str());
-      return;
-    }
-    m_opt_set.insert(opt);
   }
 
   auto it = options.begin();