Support requiring SSL, and verifying CA, for MySQL #703
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MatthiasKunnen
force-pushed
the
mysql-ca-ssl
branch
from
754c8c0 to
42ff300
Compare
MatthiasKunnen
force-pushed
the
mysql-ca-ssl
branch
from
42ff300 to
2a97f3e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for requiring a secure connection and man-in-the-middle protection in the form of the
DBMATE_MYSQL_SSL_MODEandDBMATE_MYSQL_CA_PATHparameter.DBMATE_MYSQL_SSL_MODEis an implementation of https://dev.mysql.com/doc/refman/8.4/en/connection-options.html#option_general_ssl-modeDBMATE_MYSQL_CA_PATHimplements https://dev.mysql.com/doc/refman/8.4/en/connection-options.html#option_general_ssl-caThis PR will also fix tests failing on the main branch due to certificate verification problems.
Important caveat, the CLI parameter
--ssl-modeused for mysqldump is not present in mariadb dump. If there is a way to detect whether mariadb-dump is used, I could change the parameters accordingly but there does not seem to be a distinction at the moment. Suggestions welcome.I'll refrain from further work until there is some feedback on the approach and whether there is interest in this change.
Todo: