mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-25 11:38:44 +02:00
N°1260 new db_tls.verify_server_cert option to force server certificates check
SVN:trunk[5381]
This commit is contained in:
Pierre Goiffon
@@ -117,6 +117,7 @@ class CMDBSource
|
||||
protected static $m_sDBTlsCA;
|
||||
protected static $m_sDBTlsCaPath;
|
||||
protected static $m_sDBTlsCipher;
|
||||
protected static $m_bDBTlsVerifyServerCert;
|
||||
/** @var mysqli $m_oMysqli */
|
||||
protected static $m_oMysqli;
|
||||
|
||||
@@ -138,8 +139,10 @@ class CMDBSource
|
||||
$sTlsCA = $oConfig->Get('db_tls.ca');
|
||||
$sTlsCaPath = $oConfig->Get('db_tls.capath');
|
||||
$sTlsCipher = $oConfig->Get('db_tls.cipher');
|
||||
$sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
|
||||
|
||||
self::Init($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher);
|
||||
self::Init($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
|
||||
$sTlsVerifyServerCert);
|
||||
|
||||
$sCharacterSet = $oConfig->Get('db_character_set');
|
||||
$sCollation = $oConfig->Get('db_collation');
|
||||
@@ -156,12 +159,13 @@ class CMDBSource
|
||||
* @param string $sTlsCA
|
||||
* @param string $sTlsCaPath
|
||||
* @param string $sTlsCipher
|
||||
* @param bool $sTlsVerifyServerCert
|
||||
*
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
public static function Init(
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCA = null, $sTlsCaPath = null,
|
||||
$sTlsCipher = null
|
||||
$sTlsCipher = null, $sTlsVerifyServerCert = false
|
||||
)
|
||||
{
|
||||
self::$m_sDBHost = $sServer;
|
||||
@@ -173,9 +177,10 @@ class CMDBSource
|
||||
self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA;
|
||||
self::$m_sDBTlsCaPath = empty($sTlsCaPath) ? null : $sTlsCaPath;
|
||||
self::$m_sDBTlsCipher = empty($sTlsCipher) ? null : $sTlsCipher;
|
||||
self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert;
|
||||
|
||||
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA,
|
||||
$sTlsCaPath, $sTlsCipher, true);
|
||||
$sTlsCaPath, $sTlsCipher, true, $sTlsVerifyServerCert);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -188,14 +193,15 @@ class CMDBSource
|
||||
* @param string $sTlsCa
|
||||
* @param string $sTlsCaPath
|
||||
* @param string $sTlsCipher
|
||||
* @param boolean $bCheckTlsAfterConnection
|
||||
* @param bool $bCheckTlsAfterConnection
|
||||
* @param bool $bVerifyTlsServerCert Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)
|
||||
*
|
||||
* @return \mysqli
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
public static function GetMysqliInstance(
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCaPath = null,
|
||||
$sTlsCipher = null, $bCheckTlsAfterConnection = false
|
||||
$sTlsCipher = null, $bCheckTlsAfterConnection = false, $bVerifyTlsServerCert = false
|
||||
) {
|
||||
$oMysqli = null;
|
||||
|
||||
@@ -217,7 +223,9 @@ class CMDBSource
|
||||
|
||||
if ($bTlsEnabled)
|
||||
{
|
||||
$iFlags = MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; // instead of MYSQLI_CLIENT_SSL
|
||||
$iFlags = ($bVerifyTlsServerCert)
|
||||
? MYSQLI_CLIENT_SSL
|
||||
: MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
|
||||
$oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher);
|
||||
}
|
||||
$oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort,
|
||||
|
||||
@@ -186,6 +186,14 @@ class Config
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_tls.verify_server_cert' => array(
|
||||
'type' => 'bool',
|
||||
'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)',
|
||||
'default' => false,
|
||||
'value' => '',
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_character_set' => array(
|
||||
'type' => 'string',
|
||||
'default' => null,
|
||||
|
||||
@@ -45,11 +45,12 @@ class iTopMutex
|
||||
protected $sDBTlsCA;
|
||||
protected $sDBTlsCaPath;
|
||||
protected $sDBTlsCipher;
|
||||
protected $bDBTlsVerifyServerCert;
|
||||
static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page
|
||||
|
||||
public function __construct(
|
||||
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $sDBTlsKey = null, $sDBTlsCert = null,
|
||||
$sDBTlsCA = null, $sDBTlsCaPath = null, $sDBTlsCypher = null
|
||||
$sDBTlsCA = null, $sDBTlsCaPath = null, $sDBTlsCypher = null, $bDBTlsVerifyServerCert = null
|
||||
)
|
||||
{
|
||||
// Compute the name of a lock for mysql
|
||||
@@ -70,6 +71,7 @@ class iTopMutex
|
||||
$this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA;
|
||||
$this->sDBTlsCaPath = is_null($sDBTlsCaPath) ? $oConfig->Get('db_tls.capath') : $sDBTlsCaPath;
|
||||
$this->sDBTlsCipher = is_null($sDBTlsCypher) ? $oConfig->Get('db_tls.cipher') : $sDBTlsCypher;
|
||||
$this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert;
|
||||
|
||||
$this->sName = $sName;
|
||||
if (substr($sName, -strlen($this->sDBName.$sDBSubname)) != $this->sDBName.$sDBSubname)
|
||||
@@ -242,9 +244,12 @@ class iTopMutex
|
||||
$sTlsCA = $this->sDBTlsCA;
|
||||
$sTlsCaPath = $this->sDBTlsCaPath;
|
||||
$sTlsCipher = $this->sDBTlsCipher;
|
||||
$bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
|
||||
$bDBTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
|
||||
|
||||
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA,
|
||||
$sTlsCaPath, $sTlsCipher, false);
|
||||
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource,
|
||||
$sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
|
||||
$bTlsVerifyServerCert, $bDBTlsVerifyServerCert);
|
||||
|
||||
if (!$this->hDBLink)
|
||||
{
|
||||
|
||||
@@ -533,11 +533,13 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
|
||||
$sTlsCA = $oConfig->Get('db_tls.ca');
|
||||
$sTlsCaPath = $oConfig->Get('db_tls.capath');
|
||||
$sTlsCipher = $oConfig->Get('db_tls.cipher');
|
||||
$bTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
|
||||
|
||||
try
|
||||
{
|
||||
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert,
|
||||
$sTlsCA, $sTlsCaPath, $sTlsCipher, false);
|
||||
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource,
|
||||
$sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
|
||||
false, $bTlsVerifyServerCert);
|
||||
|
||||
if ($oMysqli->connect_errno)
|
||||
{
|
||||
|
||||
@@ -1165,7 +1165,8 @@ EOF
|
||||
try
|
||||
{
|
||||
$oDBSource = new CMDBSource;
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCipher);
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
|
||||
false);
|
||||
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful.");
|
||||
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges()));
|
||||
|
||||
@@ -1279,16 +1280,20 @@ EOF
|
||||
* @param string $sTlsKey
|
||||
* @param string $sTlsCert
|
||||
* @param string $sTlsCa
|
||||
* @param string $sTlsCapath
|
||||
*
|
||||
* @param string $sTlsCipher
|
||||
*
|
||||
* @return string
|
||||
* @throws MySQLException
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
static public function GetMySQLVersion(
|
||||
$sDBServer, $sDBUser, $sDBPwd, $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCipher = null
|
||||
$sDBServer, $sDBUser, $sDBPwd, $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCapath = null,
|
||||
$sTlsCipher = null
|
||||
)
|
||||
{
|
||||
$oDBSource = new CMDBSource;
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCa, $sTlsCipher);
|
||||
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCa, $sTlsCapath, $sTlsCipher);
|
||||
$sDBVersion = $oDBSource->GetDBVersion();
|
||||
return $sDBVersion;
|
||||
}
|
||||
|
||||
@@ -2548,7 +2548,15 @@ class WizStepDone extends WizardStep
|
||||
$sForm .= "<p style=\"text-align:center;width:100%\"><button id=\"enter_itop\" type=\"submit\">Enter ".ITOP_APPLICATION."</button></p>";
|
||||
$sForm .= '</form>';
|
||||
$sPHPVersion = phpversion();
|
||||
$sMySQLVersion = SetupUtils::GetMySQLVersion($this->oWizard->GetParameter('db_server'), $this->oWizard->GetParameter('db_user'), $this->oWizard->GetParameter('db_pwd'));
|
||||
$sMySQLVersion = SetupUtils::GetMySQLVersion(
|
||||
$this->oWizard->GetParameter('db_server'),
|
||||
$this->oWizard->GetParameter('db_user'),
|
||||
$this->oWizard->GetParameter('db_pwd'),
|
||||
$this->oWizard->GetParameter('db_tls_key'),
|
||||
$this->oWizard->GetParameter('db_tls_cert'),
|
||||
$this->oWizard->GetParameter('db_tls_ca'),
|
||||
$this->oWizard->GetParameter('db_tls_capath'),
|
||||
$this->oWizard->GetParameter('db_tls_cipher'));
|
||||
$aParameters = json_decode($this->oWizard->GetParameter('selected_components', '{}'), true);
|
||||
$sCompactWizChoices = array();
|
||||
foreach($aParameters as $iStep => $aChoices)
|
||||
|
||||
Reference in New Issue
Block a user