From 432f42c4eebca8bd8fd05941bb197c9e137a65f9 Mon Sep 17 00:00:00 2001 From: Webslice Date: Tue, 21 Sep 2021 20:10:29 +0200 Subject: [PATCH] Add MySQL SSL support, fixes #2780 --- install/tpl/config.inc.php.master | 10 ++++++++ interface/lib/classes/db_mysql.inc.php | 35 ++++++++++++++++++++------ interface/lib/config.inc.php | 10 ++++++++ server/lib/app.inc.php | 2 +- server/lib/classes/db_mysql.inc.php | 35 ++++++++++++++++++++------ 5 files changed, 75 insertions(+), 17 deletions(-) diff --git a/install/tpl/config.inc.php.master b/install/tpl/config.inc.php.master index bd5cc8f47f..e33398d0b3 100644 --- a/install/tpl/config.inc.php.master +++ b/install/tpl/config.inc.php.master @@ -69,6 +69,11 @@ $conf['db_password'] = '{mysql_server_ispconfig_password}'; $conf['db_charset'] = 'utf8'; // same charset as html-charset - (HTML --> MYSQL: "utf-8" --> "utf8", "iso-8859-1" --> "latin1") $conf['db_new_link'] = false; $conf['db_client_flags'] = 0; +$conf['db_ssl_client_key'] = null; +$conf['db_ssl_client_cert'] = null; +$conf['db_ssl_ca_cert'] = null; +$conf['db_ssl_ca_path'] = null; +$conf['db_ssl_cipher_algos'] = null; define('DB_TYPE',$conf['db_type']); define('DB_HOST',$conf['db_host']); @@ -88,6 +93,11 @@ $conf['dbmaster_user'] = '{mysql_master_server_ispconfig_user}'; $conf['dbmaster_password'] = '{mysql_master_server_ispconfig_password}'; $conf['dbmaster_new_link'] = false; $conf['dbmaster_client_flags'] = 0; +$conf['dbmaster_ssl_client_key'] = null; +$conf['dbmaster_ssl_client_cert'] = null; +$conf['dbmaster_ssl_ca_cert'] = null; +$conf['dbmaster_ssl_ca_path'] = null; +$conf['dbmaster_ssl_cipher_algos'] = null; //** Paths diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php index cd9c333b22..eebac5850c 100644 --- a/interface/lib/classes/db_mysql.inc.php +++ b/interface/lib/classes/db_mysql.inc.php @@ -49,7 +49,12 @@ class db private $dbUser = ''; // database authorized user private $dbPass = ''; // user's password private $dbCharset = 'utf8';// Database charset - private $dbClientFlags = 0; // MySQL Client falgs + private $dbClientFlags = 0; // MySQL Client flags + private $dbSslClientKey = null; + private $dbSslClientCert = null; + private $dbSslCaCert = null; + private $dbSslCaPath = null; + private $dbSslCipherAlgos = null; /**#@-*/ public $show_error_messages = false; // false in server, interface sets true when generating templates @@ -70,7 +75,7 @@ class db */ // constructor - public function __construct($host = NULL , $user = NULL, $pass = NULL, $database = NULL, $port = NULL, $flags = NULL) { + public function __construct($host = NULL , $user = NULL, $pass = NULL, $database = NULL, $port = NULL, $flags = NULL, $dbSslClientKey = NULL, $dbSslClientCert = NULL, $dbSslCaCert = NULL, $dbSslCaPath = NULL, $dbSslCipherAlgos = NULL) { global $app, $conf; $this->dbHost = $host ? $host : $conf['db_host']; @@ -80,8 +85,17 @@ class db $this->dbPass = $pass ? $pass : $conf['db_password']; $this->dbCharset = $conf['db_charset']; $this->dbClientFlags = ($flags !== NULL) ? $flags : $conf['db_client_flags']; + $this->dbSslClientKey = $dbSslClientKey ? $dbSslClientKey : $conf['db_ssl_client_key']; + $this->dbSslClientCert = $dbSslClientCert ? $dbSslClientCert : $conf['db_ssl_client_cert']; + $this->dbSslCaCert = $dbSslCaCert ? $dbSslCaCert : $conf['db_ssl_ca_cert']; + $this->dbSslCaPath = $dbSslCaPath ? $dbSslCaPath : $conf['db_ssl_ca_path']; + $this->dbSslCipherAlgos = $dbSslCipherAlgos ? $dbSslCipherAlgos : $conf['db_ssl_cipher_algos']; $this->_iConnId = mysqli_init(); + if (!empty($dbSslClientKey) || !empty($dbSslClientCert) || !empty($dbSslCaCert) || !empty($dbSslCaPath) || !empty($dbSslCipherAlgos)) { + mysqli_ssl_set($this->_iConnId, $dbSslClientKey, $dbSslClientCert, $dbSslCaCert, $dbSslCaPath, $dbSslCipherAlgos); + } + mysqli_real_connect($this->_iConnId, $this->dbHost, $this->dbUser, $this->dbPass, '', (int)$this->dbPort, NULL, $this->dbClientFlags); for($try=0;(!is_object($this->_iConnId) || mysqli_connect_errno()) && $try < 5;++$try) { sleep($try); @@ -662,15 +676,20 @@ class db static $db=null; if ( ! $db ) { - $clientdb_host = ($conf['db_host']) ? $conf['db_host'] : NULL; - $clientdb_user = ($conf['db_user']) ? $conf['db_user'] : NULL; - $clientdb_password = ($conf['db_password']) ? $conf['db_password'] : NULL; - $clientdb_port = ((int)$conf['db_port']) ? (int)$conf['db_port'] : NULL; - $clientdb_flags = ($conf['db_flags'] !== NULL) ? $conf['db_flags'] : NULL; + $clientdb_host = ($conf['db_host']) ? $conf['db_host'] : NULL; + $clientdb_user = ($conf['db_user']) ? $conf['db_user'] : NULL; + $clientdb_password = ($conf['db_password']) ? $conf['db_password'] : NULL; + $clientdb_port = ((int)$conf['db_port']) ? (int)$conf['db_port'] : NULL; + $clientdb_flags = ($conf['db_flags'] !== NULL) ? $conf['db_flags'] : NULL; + $clientdb_ssl_client_key = ($conf['db_ssl_client_key']) ? $conf['db_ssl_client_key'] : NULL; + $clientdb_ssl_client_cert = ($conf['db_ssl_client_cert']) ? $conf['db_ssl_client_cert'] : NULL; + $clientdb_ssl_ca_cert = ($conf['db_ssl_ca_cert']) ? $conf['db_ssl_ca_cert'] : NULL; + $clientdb_ssl_ca_path = ($conf['db_ssl_ca_path']) ? $conf['db_ssl_ca_path'] : NULL; + $clientdb_ssl_cipher_algos = ($conf['db_ssl_cipher_algos']) ? $conf['db_ssl_cipher_algos'] : NULL; require_once 'lib/mysql_clientdb.conf'; - $db = new db($clientdb_host, $clientdb_user, $clientdb_password, NULL, $clientdb_port, $clientdb_flags); + $db = new db($clientdb_host, $clientdb_user, $clientdb_password, NULL, $clientdb_port, $clientdb_flags, $clientdb_ssl_client_key, $clientdb_ssl_client_cert, $clientdb_ssl_ca_cert, $clientdb_ssl_ca_path, $clientdb_ssl_cipher_algos); } $result = $db->_query("SELECT SUM(data_length+index_length) FROM information_schema.TABLES WHERE table_schema='".$db->escape($database_name)."'"); diff --git a/interface/lib/config.inc.php b/interface/lib/config.inc.php index c5d14d79cd..9c25fc94c6 100644 --- a/interface/lib/config.inc.php +++ b/interface/lib/config.inc.php @@ -59,6 +59,11 @@ $conf['db_password'] = ''; $conf['db_charset'] = 'utf8'; // same charset as html-charset - (HTML --> MYSQL: "utf-8" --> "utf8", "iso-8859-1" --> "latin1") $conf['db_new_link'] = false; $conf['db_client_flags'] = 0; +$conf['db_ssl_client_key'] = null; +$conf['db_ssl_client_cert'] = null; +$conf['db_ssl_ca_cert'] = null; +$conf['db_ssl_ca_path'] = null; +$conf['db_ssl_cipher_algos'] = null; define('DB_TYPE', $conf['db_type']); define('DB_HOST', $conf['db_host']); @@ -78,6 +83,11 @@ $conf['dbmaster_user'] = '{mysql_master_server_ispconfig_user}'; $conf['dbmaster_password'] = '{mysql_master_server_ispconfig_password}'; $conf['dbmaster_new_link'] = false; $conf['dbmaster_client_flags'] = 0; +$conf['dbmaster_ssl_client_key'] = null; +$conf['dbmaster_ssl_client_cert'] = null; +$conf['dbmaster_ssl_ca_cert'] = null; +$conf['dbmaster_ssl_ca_path'] = null; +$conf['dbmaster_ssl_cipher_algos'] = null; //** Paths diff --git a/server/lib/app.inc.php b/server/lib/app.inc.php index e0e8c85db2..1f59d12fe6 100644 --- a/server/lib/app.inc.php +++ b/server/lib/app.inc.php @@ -60,7 +60,7 @@ class app { if($conf['dbmaster_host'] != '' && ($conf['dbmaster_host'] != $conf['db_host'] || ($conf['dbmaster_host'] == $conf['db_host'] && $conf['dbmaster_database'] != $conf['db_database']))) { try { - $this->dbmaster = new db($conf['dbmaster_host'], $conf['dbmaster_user'], $conf['dbmaster_password'], $conf['dbmaster_database'], $conf['dbmaster_port'], $conf['dbmaster_client_flags']); + $this->dbmaster = new db($conf['dbmaster_host'], $conf['dbmaster_user'], $conf['dbmaster_password'], $conf['dbmaster_database'], $conf['dbmaster_port'], $conf['dbmaster_client_flags'], $conf['dbmaster_ssl_client_key'], $conf['dbmaster_ssl_client_cert'], $conf['dbmaster_ssl_ca_cert'], $conf['dbmaster_ssl_ca_path'], $conf['dbmaster_ssl_cipher_algos']); } catch (Exception $e) { $this->dbmaster = false; } diff --git a/server/lib/classes/db_mysql.inc.php b/server/lib/classes/db_mysql.inc.php index 9b9d43b442..8f57297451 100644 --- a/server/lib/classes/db_mysql.inc.php +++ b/server/lib/classes/db_mysql.inc.php @@ -49,7 +49,12 @@ class db private $dbUser = ''; // database authorized user private $dbPass = ''; // user's password private $dbCharset = 'utf8';// Database charset - private $dbClientFlags = 0; // MySQL Client falgs + private $dbClientFlags = 0; // MySQL Client flags + private $dbSslClientKey = null; + private $dbSslClientCert = null; + private $dbSslCaCert = null; + private $dbSslCaPath = null; + private $dbSslCipherAlgos = null; /**#@-*/ public $show_error_messages = false; // false in server, interface sets true when generating templates @@ -70,7 +75,7 @@ class db */ // constructor - public function __construct($host = NULL , $user = NULL, $pass = NULL, $database = NULL, $port = NULL, $flags = NULL) { + public function __construct($host = NULL , $user = NULL, $pass = NULL, $database = NULL, $port = NULL, $flags = NULL, $dbSslClientKey = NULL, $dbSslClientCert = NULL, $dbSslCaCert = NULL, $dbSslCaPath = NULL, $dbSslCipherAlgos = NULL) { global $app, $conf; $this->dbHost = $host ? $host : $conf['db_host']; @@ -80,8 +85,17 @@ class db $this->dbPass = $pass ? $pass : $conf['db_password']; $this->dbCharset = $conf['db_charset']; $this->dbClientFlags = ($flags !== NULL) ? $flags : $conf['db_client_flags']; + $this->dbSslClientKey = $dbSslClientKey ? $dbSslClientKey : $conf['db_ssl_client_key']; + $this->dbSslClientCert = $dbSslClientCert ? $dbSslClientCert : $conf['db_ssl_client_cert']; + $this->dbSslCaCert = $dbSslCaCert ? $dbSslCaCert : $conf['db_ssl_ca_cert']; + $this->dbSslCaPath = $dbSslCaPath ? $dbSslCaPath : $conf['db_ssl_ca_path']; + $this->dbSslCipherAlgos = $dbSslCipherAlgos ? $dbSslCipherAlgos : $conf['db_ssl_cipher_algos']; $this->_iConnId = mysqli_init(); + if (!empty($dbSslClientKey) || !empty($dbSslClientCert) || !empty($dbSslCaCert) || !empty($dbSslCaPath) || !empty($dbSslCipherAlgos)) { + mysqli_ssl_set($this->_iConnId, $dbSslClientKey, $dbSslClientCert, $dbSslCaCert, $dbSslCaPath, $dbSslCipherAlgos); + } + mysqli_real_connect($this->_iConnId, $this->dbHost, $this->dbUser, $this->dbPass, '', (int)$this->dbPort, NULL, $this->dbClientFlags); for($try=0;(!is_object($this->_iConnId) || mysqli_connect_errno()) && $try < 5;++$try) { sleep($try); @@ -662,15 +676,20 @@ class db static $db=null; if ( ! $db ) { - $clientdb_host = ($conf['db_host']) ? $conf['db_host'] : NULL; - $clientdb_user = ($conf['db_user']) ? $conf['db_user'] : NULL; - $clientdb_password = ($conf['db_password']) ? $conf['db_password'] : NULL; - $clientdb_port = ((int)$conf['db_port']) ? (int)$conf['db_port'] : NULL; - $clientdb_flags = ($conf['db_flags'] !== NULL) ? $conf['db_flags'] : NULL; + $clientdb_host = ($conf['db_host']) ? $conf['db_host'] : NULL; + $clientdb_user = ($conf['db_user']) ? $conf['db_user'] : NULL; + $clientdb_password = ($conf['db_password']) ? $conf['db_password'] : NULL; + $clientdb_port = ((int)$conf['db_port']) ? (int)$conf['db_port'] : NULL; + $clientdb_flags = ($conf['db_flags'] !== NULL) ? $conf['db_flags'] : NULL; + $clientdb_ssl_client_key = ($conf['db_ssl_client_key']) ? $conf['db_ssl_client_key'] : NULL; + $clientdb_ssl_client_cert = ($conf['db_ssl_client_cert']) ? $conf['db_ssl_client_cert'] : NULL; + $clientdb_ssl_ca_cert = ($conf['db_ssl_ca_cert']) ? $conf['db_ssl_ca_cert'] : NULL; + $clientdb_ssl_ca_path = ($conf['db_ssl_ca_path']) ? $conf['db_ssl_ca_path'] : NULL; + $clientdb_ssl_cipher_algos = ($conf['db_ssl_cipher_algos']) ? $conf['db_ssl_cipher_algos'] : NULL; require_once 'lib/mysql_clientdb.conf'; - $db = new db($clientdb_host, $clientdb_user, $clientdb_password, NULL, $clientdb_port, $clientdb_flags); + $db = new db($clientdb_host, $clientdb_user, $clientdb_password, NULL, $clientdb_port, $clientdb_flags, $clientdb_ssl_client_key, $clientdb_ssl_client_cert, $clientdb_ssl_ca_cert, $clientdb_ssl_ca_path, $clientdb_ssl_cipher_algos); } $result = $db->_query("SELECT SUM(data_length+index_length) FROM information_schema.TABLES WHERE table_schema='".$db->escape($database_name)."'"); -- GitLab