New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MySQL TLS connection support with verify-server-cert=false #2475

Closed
tomaskir opened this Issue Feb 10, 2019 · 5 comments

Comments

Projects
None yet
3 participants
@tomaskir
Copy link

tomaskir commented Feb 10, 2019

This is a feature request to support TLS connections towards MySQL databases without checking the cert of the MySQL server.

Affected modules: rlm_sql_mysql
It should be fairly simple to modify rlm_sql_mysql.c around lines 72, and 183.

From user-facing perspective, modifying mods-available/sql like this would be useful:

...
        mysql {
                tls {
                        verify_server_certificate = yes
...

User could then set verify_server_certificate = no, and not set ca_* and other options, but still have TSL connections to the MySQL server.

The point of this request is to make it easier and faster to deploy TLS connections towards MySQL.
(of course at the cost of compromising security by not validating the server cert)

Why would this be useful?

This is useful in test and dev environments so certs don't have to be transfered around.
Also useful when orchestrating docker deploys for test/dev purposes and wanting to use TLS but not validate the certs.

Basically any automated temporary deployment (as mentioned, for test/dev) would be much easier and faster having this option.

@alandekok

This comment has been minimized.

Copy link
Member

alandekok commented Feb 10, 2019

Sure. We welcome a patch if it's simple.

@tomaskir

This comment has been minimized.

Copy link
Author

tomaskir commented Feb 10, 2019

Sadly, I am not a C / C++ developer - the code is simple to understand, but modifying it is a different thing.

I can attempt this, but I will not have a way to test if the build passes or not.
(I don't have a build environment for freeradius setup, nor have I ever set one up)

I can however submit a PR that someone can review and fix any errors.
Are there any tests that need to be looked at / fixed / amended after changing the related code?

@arr2036

This comment has been minimized.

Copy link
Member

arr2036 commented Feb 11, 2019

82f7738

Here's something that should work for the master branch.

@tomaskir

This comment has been minimized.

Copy link
Author

tomaskir commented Feb 12, 2019

Thank you for that, it was enough to get us going.
I have asked a friend who is a C++ dev to help out.

There should now be PR in both master and v3.0.x branches that have working and tested code.

Config that works:

        mysql {
                tls {
                        tls_required = yes
                        tls_check_cert = no
                        tls_check_cert_cn = no
                }
        }

It was tested against MariaDB 10.3 with a self-signed cert used for TLS and username/password auth used against the DB.
(neither of these was previously possible, only client-cert auth with server cert validation was possible)

@tomaskir

This comment has been minimized.

Copy link
Author

tomaskir commented Feb 12, 2019

As the PRs were now merged, this can be closed.

@alandekok alandekok closed this Feb 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment