mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-24 02:58:43 +02:00
N°1260 MySQL TLS connection : change parameters to only enable checkbox + CA (remove client key, client cert, cappath, cipher)
SVN:trunk[5682]
This commit is contained in:
Pierre Goiffon
@@ -122,12 +122,22 @@ class CMDBSource
|
||||
protected static $m_sDBUser;
|
||||
protected static $m_sDBPwd;
|
||||
protected static $m_sDBName;
|
||||
protected static $m_sDBTlsKey;
|
||||
protected static $m_sDBTlsCert;
|
||||
/**
|
||||
* @var boolean
|
||||
* @since 2.5 #1260 MySQL TLS first implementation
|
||||
*/
|
||||
protected static $m_bDBTlsEnabled;
|
||||
/**
|
||||
* @var string
|
||||
* @since 2.5 #1260 MySQL TLS first implementation
|
||||
*/
|
||||
protected static $m_sDBTlsCA;
|
||||
protected static $m_sDBTlsCaPath;
|
||||
protected static $m_sDBTlsCipher;
|
||||
/**
|
||||
* @var boolean
|
||||
* @since 2.5 #1260 MySQL TLS first implementation
|
||||
*/
|
||||
protected static $m_bDBTlsVerifyServerCert;
|
||||
|
||||
/** @var mysqli $m_oMysqli */
|
||||
protected static $m_oMysqli;
|
||||
|
||||
@@ -144,15 +154,11 @@ class CMDBSource
|
||||
$sUser = $oConfig->Get('db_user');
|
||||
$sPwd = $oConfig->Get('db_pwd');
|
||||
$sSource = $oConfig->Get('db_name');
|
||||
$sTlsKey = $oConfig->Get('db_tls.key');
|
||||
$sTlsCert = $oConfig->Get('db_tls.cert');
|
||||
$bTlsEnabled = $oConfig->Get('db_tls.enabled');
|
||||
$sTlsCA = $oConfig->Get('db_tls.ca');
|
||||
$sTlsCaPath = $oConfig->Get('db_tls.capath');
|
||||
$sTlsCipher = $oConfig->Get('db_tls.cipher');
|
||||
$sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
|
||||
|
||||
self::Init($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
|
||||
$sTlsVerifyServerCert);
|
||||
self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $sTlsVerifyServerCert);
|
||||
|
||||
$sCharacterSet = DEFAULT_CHARACTER_SET;
|
||||
$sCollation = DEFAULT_COLLATION;
|
||||
@@ -164,61 +170,50 @@ class CMDBSource
|
||||
* @param string $sUser
|
||||
* @param string $sPwd
|
||||
* @param string $sSource database to use
|
||||
* @param string $sTlsKey
|
||||
* @param string $sTlsCert
|
||||
* @param bool $bTlsEnabled
|
||||
* @param string $sTlsCA
|
||||
* @param string $sTlsCaPath
|
||||
* @param string $sTlsCipher
|
||||
* @param bool $sTlsVerifyServerCert
|
||||
*
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
public static function Init(
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCA = null, $sTlsCaPath = null,
|
||||
$sTlsCipher = null, $sTlsVerifyServerCert = false
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null, $sTlsVerifyServerCert = false
|
||||
)
|
||||
{
|
||||
self::$m_sDBHost = $sServer;
|
||||
self::$m_sDBUser = $sUser;
|
||||
self::$m_sDBPwd = $sPwd;
|
||||
self::$m_sDBName = $sSource;
|
||||
self::$m_sDBTlsKey = empty($sTlsKey) ? null : $sTlsKey;
|
||||
self::$m_sDBTlsCert = empty($sTlsCert) ? null : $sTlsCert;
|
||||
self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled;
|
||||
self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA;
|
||||
self::$m_sDBTlsCaPath = empty($sTlsCaPath) ? null : $sTlsCaPath;
|
||||
self::$m_sDBTlsCipher = empty($sTlsCipher) ? null : $sTlsCipher;
|
||||
self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert;
|
||||
|
||||
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA,
|
||||
$sTlsCaPath, $sTlsCipher, true, $sTlsVerifyServerCert);
|
||||
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true,
|
||||
$sTlsVerifyServerCert);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $sServer
|
||||
* @param string $sDbHost
|
||||
* @param string $sUser
|
||||
* @param string $sPwd
|
||||
* @param string $sSource database to use
|
||||
* @param string $sTlsKey
|
||||
* @param string $sTlsCert
|
||||
* @param bool $bTlsEnabled
|
||||
* @param string $sTlsCa
|
||||
* @param string $sTlsCaPath
|
||||
* @param string $sTlsCipher
|
||||
* @param bool $bCheckTlsAfterConnection
|
||||
* @param bool $bVerifyTlsServerCert Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)
|
||||
* @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted
|
||||
* @param bool $bVerifyTlsServerCert If true then verify server certificate when connecting
|
||||
*
|
||||
* @return \mysqli
|
||||
* @throws \MySQLException
|
||||
*/
|
||||
public static function GetMysqliInstance(
|
||||
$sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCaPath = null,
|
||||
$sTlsCipher = null, $bCheckTlsAfterConnection = false, $bVerifyTlsServerCert = false
|
||||
$sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false,
|
||||
$bVerifyTlsServerCert = false
|
||||
) {
|
||||
$oMysqli = null;
|
||||
|
||||
$sServer = null;
|
||||
$iPort = null;
|
||||
$bTlsEnabled = self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCa);
|
||||
self::InitServerAndPort(self::$m_sDBHost, $sServer, $iPort);
|
||||
self::InitServerAndPort($sDbHost, $sServer, $iPort);
|
||||
|
||||
$iFlags = null;
|
||||
|
||||
@@ -236,18 +231,20 @@ class CMDBSource
|
||||
$iFlags = ($bVerifyTlsServerCert)
|
||||
? MYSQLI_CLIENT_SSL
|
||||
: MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
|
||||
$oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher);
|
||||
$sTlsCert = null; // not implemented
|
||||
$sTlsCaPath = null; // not implemented
|
||||
$sTlsCipher = null; // not implemented
|
||||
$oMysqli->ssl_set($bTlsEnabled, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher);
|
||||
}
|
||||
$oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort,
|
||||
ini_get("mysqli.default_socket"), $iFlags);
|
||||
$oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort, ini_get("mysqli.default_socket"), $iFlags);
|
||||
}
|
||||
catch(mysqli_sql_exception $e)
|
||||
{
|
||||
throw new MySQLException('Could not connect to the DB server', array('host' => $sServer, 'user' => $sUser), $e);
|
||||
}
|
||||
|
||||
if ($bCheckTlsAfterConnection
|
||||
&& self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCa)
|
||||
if ($bTlsEnabled
|
||||
&& $bCheckTlsAfterConnection
|
||||
&& !self::IsOpenedDbConnectionUsingTls($oMysqli))
|
||||
{
|
||||
throw new MySQLException("Connection to the database is not encrypted whereas it was opened using TLS parameters",
|
||||
@@ -307,32 +304,6 @@ class CMDBSource
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \Config $oConfig
|
||||
*
|
||||
* @return boolean
|
||||
*/
|
||||
public static function IsDbConnectionInConfigUsingTls($oConfig)
|
||||
{
|
||||
$sTlsKey = $oConfig->Get('db_tls.key');
|
||||
$sTlsCert = $oConfig->Get('db_tls.cert');
|
||||
$sTlsCA = $oConfig->Get('db_tls.ca');
|
||||
|
||||
return self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $sTlsKey
|
||||
* @param string $sTlsCert
|
||||
* @param string $sTlsCA
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public static function IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA)
|
||||
{
|
||||
return (!empty($sTlsKey) && !empty($sTlsCert) && !empty($sTlsCA));
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>A DB connection can be opened transparently (no errors thrown) without being encrypted, whereas the TLS
|
||||
* parameters were used.<br>
|
||||
|
||||
@@ -150,19 +150,11 @@ class Config
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => true,
|
||||
),
|
||||
'db_tls.key' => array(
|
||||
'type' => 'string',
|
||||
'description' => 'Path to client key file for SSL',
|
||||
'default' => null,
|
||||
'value' => '',
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_tls.cert' => array(
|
||||
'type' => 'string',
|
||||
'description' => 'Path to client certificate file for SSL',
|
||||
'default' => null,
|
||||
'value' => '',
|
||||
'db_tls.enabled' => array(
|
||||
'type' => 'bool',
|
||||
'description' => 'If true then the connection to the DB will be encrypted',
|
||||
'default' => false,
|
||||
'value' => false,
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
@@ -174,27 +166,11 @@ class Config
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_tls.capath' => array(
|
||||
'type' => 'string',
|
||||
'description' => 'Path to a directory that contains trusted SSL CA certificates in PEM format',
|
||||
'default' => null,
|
||||
'value' => '',
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_tls.cipher' => array(
|
||||
'type' => 'string',
|
||||
'description' => 'Optional : separated list of permissible cyphers to use for SSL encryption',
|
||||
'default' => null,
|
||||
'value' => '',
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
'db_tls.verify_server_cert' => array(
|
||||
'type' => 'bool',
|
||||
'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)',
|
||||
'default' => false,
|
||||
'value' => '',
|
||||
'value' => false,
|
||||
'source_of_value' => '',
|
||||
'show_in_conf_sample' => false,
|
||||
),
|
||||
@@ -1908,30 +1884,23 @@ class Config
|
||||
}
|
||||
$this->Set('db_name', $sDBName);
|
||||
$this->Set('db_subname', $aParamValues['db_prefix']);
|
||||
$sDbTlsKey = $aParamValues['db_tls_key'];
|
||||
if (isset($sDbTlsKey) && !empty($sDbTlsKey))
|
||||
|
||||
$bDbTlsEnabled = (bool) $aParamValues['db_tls_enabled'];
|
||||
if ($bDbTlsEnabled)
|
||||
{
|
||||
$this->Set('db_tls.key', $sDbTlsKey, 'UpdateFromParams');
|
||||
$this->Set('db_tls.enabled', $bDbTlsEnabled, 'UpdateFromParams');
|
||||
}
|
||||
$sDbTlsCert = $aParamValues['db_tls_cert'];
|
||||
if (isset($sDbTlsCert) && !empty($sDbTlsCert))
|
||||
else
|
||||
{
|
||||
$this->Set('db_tls.cert', $sDbTlsCert, 'UpdateFromParams');
|
||||
// disabled : we don't want parameter in the file
|
||||
$this->Set('db_tls.enabled', $bDbTlsEnabled, null);
|
||||
}
|
||||
$sDbTlsCa = $aParamValues['db_tls_ca'];
|
||||
if (isset($sDbTlsCa) && !empty($sDbTlsCa))
|
||||
{
|
||||
$sDbTlsCa = $bDbTlsEnabled ? $aParamValues['db_tls_ca'] : null;
|
||||
if (isset($sDbTlsCa) && !empty($sDbTlsCa)) {
|
||||
$this->Set('db_tls.ca', $sDbTlsCa, 'UpdateFromParams');
|
||||
}
|
||||
$sDbTlsCaPath = $aParamValues['db_tls_capath'];
|
||||
if (isset($sDbTlsCaPath) && !empty($sDbTlsCaPath))
|
||||
{
|
||||
$this->Set('db_tls.capath', $sDbTlsCaPath, 'UpdateFromParams');
|
||||
}
|
||||
$sDbTlsCipher = $aParamValues['db_tls_cipher'];
|
||||
if (isset($sDbTlsCipher) && !empty($sDbTlsCipher))
|
||||
{
|
||||
$this->Set('db_tls.cipher', $sDbTlsCipher, 'UpdateFromParams');
|
||||
} else {
|
||||
// empty parameter : we don't want it in the file
|
||||
$this->Set('db_tls.ca', null, null);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -40,17 +40,14 @@ class iTopMutex
|
||||
protected $sDBPwd;
|
||||
protected $sDBName;
|
||||
protected $sDBSubname;
|
||||
protected $sDBTlsKey;
|
||||
protected $sDBTlsCert;
|
||||
protected $bDBTlsEnabled;
|
||||
protected $sDBTlsCA;
|
||||
protected $sDBTlsCaPath;
|
||||
protected $sDBTlsCipher;
|
||||
protected $bDBTlsVerifyServerCert;
|
||||
static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page
|
||||
|
||||
public function __construct(
|
||||
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $sDBTlsKey = null, $sDBTlsCert = null,
|
||||
$sDBTlsCA = null, $sDBTlsCaPath = null, $sDBTlsCypher = null, $bDBTlsVerifyServerCert = null
|
||||
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null,
|
||||
$bDBTlsVerifyServerCert = null
|
||||
)
|
||||
{
|
||||
// Compute the name of a lock for mysql
|
||||
@@ -66,11 +63,8 @@ class iTopMutex
|
||||
$this->sDBName = $oConfig->Get('db_name');
|
||||
$sDBSubname = $oConfig->Get('db_subname');
|
||||
|
||||
$this->sDBTlsKey = is_null($sDBTlsKey) ? $oConfig->Get('db_tls.key') : $sDBTlsKey;
|
||||
$this->sDBTlsCert = is_null($sDBTlsCert) ? $oConfig->Get('db_tls.cert') : $sDBTlsCert;
|
||||
$this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled;
|
||||
$this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA;
|
||||
$this->sDBTlsCaPath = is_null($sDBTlsCaPath) ? $oConfig->Get('db_tls.capath') : $sDBTlsCaPath;
|
||||
$this->sDBTlsCipher = is_null($sDBTlsCypher) ? $oConfig->Get('db_tls.cipher') : $sDBTlsCypher;
|
||||
$this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert;
|
||||
|
||||
$this->sName = $sName;
|
||||
@@ -228,7 +222,7 @@ class iTopMutex
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialiaze database connection. Mandatory attributes must be already set !
|
||||
* Initialize database connection. Mandatory attributes must be already set !
|
||||
*
|
||||
* @throws \Exception
|
||||
* @throws \MySQLException
|
||||
@@ -239,17 +233,12 @@ class iTopMutex
|
||||
$sUser = $this->sDBUser;
|
||||
$sPwd = $this->sDBPwd;
|
||||
$sSource = $this->sDBName;
|
||||
$sTlsKey = $this->sDBTlsKey;
|
||||
$sTlsCert = $this->sDBTlsCert;
|
||||
$bTlsEnabled = $this->bDBTlsEnabled;
|
||||
$sTlsCA = $this->sDBTlsCA;
|
||||
$sTlsCaPath = $this->sDBTlsCaPath;
|
||||
$sTlsCipher = $this->sDBTlsCipher;
|
||||
$bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
|
||||
$bDBTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
|
||||
|
||||
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource,
|
||||
$sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
|
||||
$bTlsVerifyServerCert, $bDBTlsVerifyServerCert);
|
||||
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA,
|
||||
false, $bTlsVerifyServerCert);
|
||||
|
||||
if (!$this->hDBLink)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user