Open SuperMasterPhoenix opened 3 years ago
This is pretty simple to implement - but I still haven't found time to set up a suitable test environment.
Are you able to test the latest dev code for me?
You'll need to manually create/edit data/config.ini.php
and add entries for
dbkey=keyfile
dbcert=certfile
dbca=cafile
dbverify=0/1
The files should be in /data - or the filenames should be a relative path (e.g. ../../path/to/keyfile.pem
).
Thanks for working on this. I'll try to test the changes this weekend.
Did you test this?
Sorry it took that long, I finally found the time to test the changes and they work :-)
Nevertheless I would propose a small change. Currently using a client certificate (two-way TLS) is mandatory, you have to set dbcert
and dbkey
. However a valid configuration is also using only the ca-certificate (one-way TLS) by only setting the config option dbca
.
My quick-and-dirty change for testing both variants looks like this:
if ($dbca !== '') {
$options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $dbverify;
$options[PDO::MYSQL_ATTR_SSL_CA] = Webtrees::ROOT_DIR . 'data/' . $dbca;
}
if ($dbkey !== '' && $dbcert !== '' && $dbca !== '') {
$options[PDO::MYSQL_ATTR_SSL_KEY] = Webtrees::ROOT_DIR . 'data/' . $dbkey;
$options[PDO::MYSQL_ATTR_SSL_CERT] = Webtrees::ROOT_DIR . 'data/' . $dbcert;
}
Btw: I could not test the verify-option, if I remember correctly db-certificate was a self-signed one ;-)
Closed in 8447ecc48455c5fa8759225f11de90fd20ad71ba
I tried to encrypt the connection between Webtrees and the database - MariaDB in my case (https://mariadb.com/kb/en/securing-connections-for-client-and-server/). Unfortunately Webtrees doesn't seem to allow any kind of additional options for the database configuration. Is this correct, that it is currently not possible to enable TLS encryption to the database? As my database and the webserver are not running on the same host this would be really nice to have.