Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

db_mysql: enable TLS when building with mariadb-connector-c #3734

Merged
merged 2 commits into from
Jan 30, 2024
Merged

db_mysql: enable TLS when building with mariadb-connector-c #3734

merged 2 commits into from
Jan 30, 2024

Conversation

space88man
Copy link
Contributor

@space88man space88man commented Jan 30, 2024
edited

Pre-Submission Checklist

  • Commit message has the format required by CONTRIBUTING guide
  • Commits are split per component (core, individual modules, libs, utils, ...)
  • Each component has a single commit (if not, squash them into one commit)
  • No commits to README files for modules (changes must be done to docbook files
    in doc/ subfolder, the README file is autogenerated)

Type Of Change

  • Small bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds new functionality)
  • Breaking change (fix or feature that would change existing functionality)

Checklist:

Description

When db_mysql is built with mariadb-connector-c it does not use TLS and fails if the server requires TLS. It seems to be related to the fact that the MYSQL object needs to have a minimal non-NULL configuration (unlike MySQL Connector/C).

This is a minimal setting to allow TLS. A more full-featured solution would be to enable db_mysql to read from an external configuration file.

@linuxmaniac, kindly take a look

UPDATE: the flag is MYSQL_OPT_SSL_ENFORCE which uses TLS if server advertises it. It does not make TLS mandatory (i..e doesn't fail if server has no TLS)

UPDATE: reuse module param opt_ssl_mode to configure MariaDB Connector/C.

Use existing opt_ssl_mode and map as follows.:

  1. 0(off), 1(SSL_MODE_DISABLED): mariadb-connector-c defaults
  2. 2(SSL_MODE_PREFERRED) 3(SSL_MODE_REQUIRED) 4(SSL_MODE_VERIFY_CA): MYSQL_OPT_SSL_ENFORCE
  3. 5(SSL_MODE_VERIFY_IDENTITY): MYSQL_OPT_SSL_VERIFY_SERVER_CERT

@linuxmaniac
Copy link
Member

But then, is the connection still possible without TLS or are we forcing that the server would support TLS?

@space88man
Copy link
Contributor Author

space88man commented Jan 30, 2024
edited

But then, is the connection still possible without TLS or are we forcing that the server would support TLS?

Yes connection is possible if the server doesn't enforce TLS — the connection will use plain TCP.
The client needs to set MYSQL_OPT_SSL_ENFORCE MYSQL_OPT_SSL_VERIFY_SERVER_CERT to force the server to have TLS.

MYSQL_OPT_SSL_ENFORCE is badly named - it means: use TLS if server has TLS; it doesn't actually require TLS from server.

@space88man
db_mysql: enable TLS when building with mariadb-connector-c
c37d25c 
- mariadb-connector-c requires at least one non-NULL configuration
  value to use TLS
- emulate MySQL SSL_MODE_XXXX options
@space88man space88man mentioned this pull request Jan 30, 2024
Closed
@linuxmaniac
Copy link
Member

Much better now @space88man . Thanks for taking care.

@linuxmaniac linuxmaniac merged commit 2bcc32a into kamailio:master Jan 30, 2024
4 checks passed
@space88man space88man deleted the fix-mariadb branch February 16, 2024 07:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@space88man @linuxmaniac