mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-25 03:28:45 +02:00
N°1260 remove db_tls.verify_server_cert : the server cert verification is now based on the TLS CA parameter value
SVN:trunk[5683]
This commit is contained in:
Pierre Goiffon
@@ -132,11 +132,6 @@ class CMDBSource
|
||||
* @since 2.5 #1260 MySQL TLS first implementation
|
||||
*/
|
||||
protected static $m_sDBTlsCA;
|
||||
/**
|
||||
* @var boolean
|
||||
* @since 2.5 #1260 MySQL TLS first implementation
|
||||
*/
|
||||
protected static $m_bDBTlsVerifyServerCert;
|
||||
|
||||
/** @var mysqli $m_oMysqli */
|
||||
protected static $m_oMysqli;
|
||||
@@ -156,9 +151,8 @@ class CMDBSource
|
||||
$sSource = $oConfig->Get('db_name');
|
||||
$bTlsEnabled = $oConfig->Get('db_tls.enabled');
|
||||
$sTlsCA = $oConfig->Get('db_tls.ca');
|
||||
$sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
|
||||
|
||||
self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $sTlsVerifyServerCert);
|
||||
self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA);
|
||||
|
||||
$sCharacterSet = DEFAULT_CHARACTER_SET;
|
||||
$sCollation = DEFAULT_COLLATION;
|
||||
@@ -172,12 +166,11 @@ class CMDBSource
|
||||
* @param string $sSource database to use
|
||||
* @param bool $bTlsEnabled
|
||||
* @param string $sTlsCA
|
||||
* @param bool $sTlsVerifyServerCert
|
||||
*
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
public static function Init(
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null, $sTlsVerifyServerCert = false
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null
|
||||
)
|
||||
{
|
||||
self::$m_sDBHost = $sServer;
|
||||
@@ -186,10 +179,8 @@ class CMDBSource
|
||||
self::$m_sDBName = $sSource;
|
||||
self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled;
|
||||
self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA;
|
||||
self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert;
|
||||
|
||||
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true,
|
||||
$sTlsVerifyServerCert);
|
||||
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -200,14 +191,12 @@ class CMDBSource
|
||||
* @param bool $bTlsEnabled
|
||||
* @param string $sTlsCa
|
||||
* @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted
|
||||
* @param bool $bVerifyTlsServerCert If true then verify server certificate when connecting
|
||||
*
|
||||
* @return \mysqli
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
public static function GetMysqliInstance(
|
||||
$sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false,
|
||||
$bVerifyTlsServerCert = false
|
||||
$sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false
|
||||
) {
|
||||
$oMysqli = null;
|
||||
|
||||
@@ -228,9 +217,9 @@ class CMDBSource
|
||||
|
||||
if ($bTlsEnabled)
|
||||
{
|
||||
$iFlags = ($bVerifyTlsServerCert)
|
||||
? MYSQLI_CLIENT_SSL
|
||||
: MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
|
||||
$iFlags = (empty($sTlsCa))
|
||||
? MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
|
||||
: MYSQLI_CLIENT_SSL;
|
||||
$sTlsCert = null; // not implemented
|
||||
$sTlsCaPath = null; // not implemented
|
||||
$sTlsCipher = null; // not implemented
|
||||
|
||||
@@ -166,14 +166,6 @@ class Config
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_tls.verify_server_cert' => array(
|
||||
'type' => 'bool',
|
||||
'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)',
|
||||
'default' => false,
|
||||
'value' => false,
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_character_set' => array( // @deprecated to remove in 2.7 ? #1001 utf8mb4 switch
|
||||
'type' => 'string',
|
||||
'description' => 'Deprecated since iTop 2.5 : now using utf8mb4',
|
||||
|
||||
@@ -42,12 +42,10 @@ class iTopMutex
|
||||
protected $sDBSubname;
|
||||
protected $bDBTlsEnabled;
|
||||
protected $sDBTlsCA;
|
||||
protected $bDBTlsVerifyServerCert;
|
||||
static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page
|
||||
|
||||
public function __construct(
|
||||
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null,
|
||||
$bDBTlsVerifyServerCert = null
|
||||
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null
|
||||
)
|
||||
{
|
||||
// Compute the name of a lock for mysql
|
||||
@@ -65,7 +63,6 @@ class iTopMutex
|
||||
|
||||
$this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled;
|
||||
$this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA;
|
||||
$this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert;
|
||||
|
||||
$this->sName = $sName;
|
||||
if (substr($sName, -strlen($this->sDBName.$sDBSubname)) != $this->sDBName.$sDBSubname)
|
||||
@@ -235,10 +232,8 @@ class iTopMutex
|
||||
$sSource = $this->sDBName;
|
||||
$bTlsEnabled = $this->bDBTlsEnabled;
|
||||
$sTlsCA = $this->sDBTlsCA;
|
||||
$bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
|
||||
|
||||
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA,
|
||||
false, $bTlsVerifyServerCert);
|
||||
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, false);
|
||||
|
||||
if (!$this->hDBLink)
|
||||
{
|
||||
|
||||
@@ -552,12 +552,11 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
|
||||
$sSource = $oConfig->Get('db_name');
|
||||
$sTlsEnabled = $oConfig->Get('db_tls.enabled');
|
||||
$sTlsCA = $oConfig->Get('db_tls.ca');
|
||||
$bTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
|
||||
|
||||
try
|
||||
{
|
||||
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA, false,
|
||||
$bTlsVerifyServerCert);
|
||||
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA,
|
||||
false);
|
||||
|
||||
if ($oMysqli->connect_errno)
|
||||
{
|
||||
|
||||
@@ -1134,7 +1134,7 @@ EOF
|
||||
try
|
||||
{
|
||||
$oDBSource = new CMDBSource;
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA, false);
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA);
|
||||
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful.");
|
||||
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges()));
|
||||
|
||||
@@ -1272,7 +1272,7 @@ EOF
|
||||
)
|
||||
{
|
||||
$oDBSource = new CMDBSource;
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa, false);
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa);
|
||||
$sDBVersion = $oDBSource->GetDBVersion();
|
||||
return $sDBVersion;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user