composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°1260 remove db_tls.verify_server_cert : the server cert verification is now based on the TLS CA parameter value

Browse Source 
SVN:trunk[5683]
This commit is contained in:
Pierre Goiffon
2018-04-18 07:26:11 +00:00
parent f07bbfa174
commit aa8072118d
5 changed files with 13 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
core/cmdbsource.class.inc.php
View File

@@ -132,11 +132,6 @@ class CMDBSource
* @since 2.5 #1260 MySQL TLS first implementation * @since 2.5 #1260 MySQL TLS first implementation
*/ */
protected static $m_sDBTlsCA; protected static $m_sDBTlsCA;
/**
* @var boolean
* @since 2.5 #1260 MySQL TLS first implementation
*/
protected static $m_bDBTlsVerifyServerCert;
/** @var mysqli $m_oMysqli */ /** @var mysqli $m_oMysqli */
protected static $m_oMysqli; protected static $m_oMysqli;
@@ -156,9 +151,8 @@ class CMDBSource
$sSource = $oConfig->Get('db_name'); $sSource = $oConfig->Get('db_name');
$bTlsEnabled = $oConfig->Get('db_tls.enabled'); $bTlsEnabled = $oConfig->Get('db_tls.enabled');
$sTlsCA = $oConfig->Get('db_tls.ca'); $sTlsCA = $oConfig->Get('db_tls.ca');
$sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $sTlsVerifyServerCert); self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA);
$sCharacterSet = DEFAULT_CHARACTER_SET; $sCharacterSet = DEFAULT_CHARACTER_SET;
$sCollation = DEFAULT_COLLATION; $sCollation = DEFAULT_COLLATION;
@@ -172,12 +166,11 @@ class CMDBSource
* @param string $sSource database to use * @param string $sSource database to use
* @param bool $bTlsEnabled * @param bool $bTlsEnabled
* @param string $sTlsCA * @param string $sTlsCA
* @param bool $sTlsVerifyServerCert
* *
* @throws \MySQLException * @throws \MySQLException
*/ */
public static function Init( public static function Init(
$sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null, $sTlsVerifyServerCert = false $sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null
) )
{ {
self::$m_sDBHost = $sServer; self::$m_sDBHost = $sServer;
@@ -186,10 +179,8 @@ class CMDBSource
self::$m_sDBName = $sSource; self::$m_sDBName = $sSource;
self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled; self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled;
self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA; self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA;
self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert;
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true, self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true);
$sTlsVerifyServerCert);
} }
/** /**
@@ -200,14 +191,12 @@ class CMDBSource
* @param bool $bTlsEnabled * @param bool $bTlsEnabled
* @param string $sTlsCa * @param string $sTlsCa
* @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted * @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted
* @param bool $bVerifyTlsServerCert If true then verify server certificate when connecting
* *
* @return \mysqli * @return \mysqli
* @throws \MySQLException * @throws \MySQLException
*/ */
public static function GetMysqliInstance( public static function GetMysqliInstance(
$sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false, $sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false
$bVerifyTlsServerCert = false
) { ) {
$oMysqli = null; $oMysqli = null;
@@ -228,9 +217,9 @@ class CMDBSource
if ($bTlsEnabled) if ($bTlsEnabled)
{ {
$iFlags = ($bVerifyTlsServerCert) $iFlags = (empty($sTlsCa))
? MYSQLI_CLIENT_SSL ? MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
: MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; : MYSQLI_CLIENT_SSL;
$sTlsCert = null; // not implemented $sTlsCert = null; // not implemented
$sTlsCaPath = null; // not implemented $sTlsCaPath = null; // not implemented
$sTlsCipher = null; // not implemented $sTlsCipher = null; // not implemented

8
core/config.class.inc.php
View File

@@ -166,14 +166,6 @@ class Config
'source_of_value' => '', 'source_of_value' => '',
'show_in_conf_sample' => false, 'show_in_conf_sample' => false,
), ),
'db_tls.verify_server_cert' => array(
'type' => 'bool',
'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)',
'default' => false,
'value' => false,
'source_of_value' => '',
'show_in_conf_sample' => false,
),
'db_character_set' => array( // @deprecated to remove in 2.7 ? #1001 utf8mb4 switch 'db_character_set' => array( // @deprecated to remove in 2.7 ? #1001 utf8mb4 switch
'type' => 'string', 'type' => 'string',
'description' => 'Deprecated since iTop 2.5 : now using utf8mb4', 'description' => 'Deprecated since iTop 2.5 : now using utf8mb4',

9
core/mutex.class.inc.php
View File

@@ -42,12 +42,10 @@ class iTopMutex
protected $sDBSubname; protected $sDBSubname;
protected $bDBTlsEnabled; protected $bDBTlsEnabled;
protected $sDBTlsCA; protected $sDBTlsCA;
protected $bDBTlsVerifyServerCert;
static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page
public function __construct( public function __construct(
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null, $sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null
$bDBTlsVerifyServerCert = null
) )
{ {
// Compute the name of a lock for mysql // Compute the name of a lock for mysql
@@ -65,7 +63,6 @@ class iTopMutex
$this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled; $this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled;
$this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA; $this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA;
$this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert;
$this->sName = $sName; $this->sName = $sName;
if (substr($sName, -strlen($this->sDBName.$sDBSubname)) != $this->sDBName.$sDBSubname) if (substr($sName, -strlen($this->sDBName.$sDBSubname)) != $this->sDBName.$sDBSubname)
@@ -235,10 +232,8 @@ class iTopMutex
$sSource = $this->sDBName; $sSource = $this->sDBName;
$bTlsEnabled = $this->bDBTlsEnabled; $bTlsEnabled = $this->bDBTlsEnabled;
$sTlsCA = $this->sDBTlsCA; $sTlsCA = $this->sDBTlsCA;
$bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, false);
false, $bTlsVerifyServerCert);
if (!$this->hDBLink) if (!$this->hDBLink)
{ {

5
setup/backup.class.inc.php
View File

@@ -552,12 +552,11 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
$sSource = $oConfig->Get('db_name'); $sSource = $oConfig->Get('db_name');
$sTlsEnabled = $oConfig->Get('db_tls.enabled'); $sTlsEnabled = $oConfig->Get('db_tls.enabled');
$sTlsCA = $oConfig->Get('db_tls.ca'); $sTlsCA = $oConfig->Get('db_tls.ca');
$bTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
try try
{ {
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA, false, $oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA,
$bTlsVerifyServerCert); false);
if ($oMysqli->connect_errno) if ($oMysqli->connect_errno)
{ {

4
setup/setuputils.class.inc.php
View File

@@ -1134,7 +1134,7 @@ EOF
try try
{ {
$oDBSource = new CMDBSource; $oDBSource = new CMDBSource;
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA, false); $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA);
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful."); $aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful.");
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges())); $aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges()));
@@ -1272,7 +1272,7 @@ EOF
) )
{ {
$oDBSource = new CMDBSource; $oDBSource = new CMDBSource;
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa, false); $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa);
$sDBVersion = $oDBSource->GetDBVersion(); $sDBVersion = $oDBSource->GetDBVersion();
return $sDBVersion; return $sDBVersion;
} }