From aa8072118de7e8e6626732c01bff5fb4cffaa2d0 Mon Sep 17 00:00:00 2001 From: Pierre Goiffon Date: Wed, 18 Apr 2018 07:26:11 +0000 Subject: [PATCH] =?UTF-8?q?N=C2=B01260=20remove=20db=5Ftls.verify=5Fserver?= =?UTF-8?q?=5Fcert=20:=20the=20server=20cert=20verification=20is=20now=20b?= =?UTF-8?q?ased=20on=20the=20TLS=20CA=20parameter=20value?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SVN:trunk[5683] --- core/cmdbsource.class.inc.php | 25 +++++++------------------ core/config.class.inc.php | 8 -------- core/mutex.class.inc.php | 9 ++------- setup/backup.class.inc.php | 5 ++--- setup/setuputils.class.inc.php | 4 ++-- 5 files changed, 13 insertions(+), 38 deletions(-) diff --git a/core/cmdbsource.class.inc.php b/core/cmdbsource.class.inc.php index 26a368207..0707bfe5a 100644 --- a/core/cmdbsource.class.inc.php +++ b/core/cmdbsource.class.inc.php @@ -132,11 +132,6 @@ class CMDBSource * @since 2.5 #1260 MySQL TLS first implementation */ protected static $m_sDBTlsCA; - /** - * @var boolean - * @since 2.5 #1260 MySQL TLS first implementation - */ - protected static $m_bDBTlsVerifyServerCert; /** @var mysqli $m_oMysqli */ protected static $m_oMysqli; @@ -156,9 +151,8 @@ class CMDBSource $sSource = $oConfig->Get('db_name'); $bTlsEnabled = $oConfig->Get('db_tls.enabled'); $sTlsCA = $oConfig->Get('db_tls.ca'); - $sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert'); - self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $sTlsVerifyServerCert); + self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA); $sCharacterSet = DEFAULT_CHARACTER_SET; $sCollation = DEFAULT_COLLATION; @@ -172,12 +166,11 @@ class CMDBSource * @param string $sSource database to use * @param bool $bTlsEnabled * @param string $sTlsCA - * @param bool $sTlsVerifyServerCert * * @throws \MySQLException */ public static function Init( - $sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null, $sTlsVerifyServerCert = false + $sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null ) { self::$m_sDBHost = $sServer; @@ -186,10 +179,8 @@ class CMDBSource self::$m_sDBName = $sSource; self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled; self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA; - self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert; - self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true, - $sTlsVerifyServerCert); + self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true); } /** @@ -200,14 +191,12 @@ class CMDBSource * @param bool $bTlsEnabled * @param string $sTlsCa * @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted - * @param bool $bVerifyTlsServerCert If true then verify server certificate when connecting * * @return \mysqli * @throws \MySQLException */ public static function GetMysqliInstance( - $sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false, - $bVerifyTlsServerCert = false + $sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false ) { $oMysqli = null; @@ -228,9 +217,9 @@ class CMDBSource if ($bTlsEnabled) { - $iFlags = ($bVerifyTlsServerCert) - ? MYSQLI_CLIENT_SSL - : MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; + $iFlags = (empty($sTlsCa)) + ? MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT + : MYSQLI_CLIENT_SSL; $sTlsCert = null; // not implemented $sTlsCaPath = null; // not implemented $sTlsCipher = null; // not implemented diff --git a/core/config.class.inc.php b/core/config.class.inc.php index 83cbd795c..76e617252 100644 --- a/core/config.class.inc.php +++ b/core/config.class.inc.php @@ -166,14 +166,6 @@ class Config 'source_of_value' => '', 'show_in_conf_sample' => false, ), - 'db_tls.verify_server_cert' => array( - 'type' => 'bool', - 'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)', - 'default' => false, - 'value' => false, - 'source_of_value' => '', - 'show_in_conf_sample' => false, - ), 'db_character_set' => array( // @deprecated to remove in 2.7 ? #1001 utf8mb4 switch 'type' => 'string', 'description' => 'Deprecated since iTop 2.5 : now using utf8mb4', diff --git a/core/mutex.class.inc.php b/core/mutex.class.inc.php index 8e7951c49..48ac15282 100644 --- a/core/mutex.class.inc.php +++ b/core/mutex.class.inc.php @@ -42,12 +42,10 @@ class iTopMutex protected $sDBSubname; protected $bDBTlsEnabled; protected $sDBTlsCA; - protected $bDBTlsVerifyServerCert; static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page public function __construct( - $sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null, - $bDBTlsVerifyServerCert = null + $sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null ) { // Compute the name of a lock for mysql @@ -65,7 +63,6 @@ class iTopMutex $this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled; $this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA; - $this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert; $this->sName = $sName; if (substr($sName, -strlen($this->sDBName.$sDBSubname)) != $this->sDBName.$sDBSubname) @@ -235,10 +232,8 @@ class iTopMutex $sSource = $this->sDBName; $bTlsEnabled = $this->bDBTlsEnabled; $sTlsCA = $this->sDBTlsCA; - $bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert; - $this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, - false, $bTlsVerifyServerCert); + $this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, false); if (!$this->hDBLink) { diff --git a/setup/backup.class.inc.php b/setup/backup.class.inc.php index c516b0545..6e98a1bea 100644 --- a/setup/backup.class.inc.php +++ b/setup/backup.class.inc.php @@ -552,12 +552,11 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the " $sSource = $oConfig->Get('db_name'); $sTlsEnabled = $oConfig->Get('db_tls.enabled'); $sTlsCA = $oConfig->Get('db_tls.ca'); - $bTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert'); try { - $oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA, false, - $bTlsVerifyServerCert); + $oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA, + false); if ($oMysqli->connect_errno) { diff --git a/setup/setuputils.class.inc.php b/setup/setuputils.class.inc.php index 66947c4a9..14f121a0a 100644 --- a/setup/setuputils.class.inc.php +++ b/setup/setuputils.class.inc.php @@ -1134,7 +1134,7 @@ EOF try { $oDBSource = new CMDBSource; - $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA, false); + $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA); $aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful."); $aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges())); @@ -1272,7 +1272,7 @@ EOF ) { $oDBSource = new CMDBSource; - $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa, false); + $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa); $sDBVersion = $oDBSource->GetDBVersion(); return $sDBVersion; }