Open SuperMasterPhoenix opened 3 years ago
fisharebest
commented
3 years ago This is pretty simple to implement - but I still haven't found time to set up a suitable test environment.
Are you able to test the latest dev code for me?
You'll need to manually create/edit data/config.ini.php and add entries for
dbkey=keyfile
dbcert=certfile
dbca=cafile
dbverify=0/1The files should be in /data - or the filenames should be a relative path (e.g. ../../path/to/keyfile.pem).
SuperMasterPhoenix
commented
3 years ago Thanks for working on this. I'll try to test the changes this weekend.
fisharebest
commented
2 years ago Did you test this?
SuperMasterPhoenix
commented
2 years ago Sorry it took that long, I finally found the time to test the changes and they work :-)
Nevertheless I would propose a small change. Currently using a client certificate (two-way TLS) is mandatory, you have to set dbcert and dbkey. However a valid configuration is also using only the ca-certificate (one-way TLS) by only setting the config option dbca.
My quick-and-dirty change for testing both variants looks like this:
if ($dbca !== '') {
$options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $dbverify;
$options[PDO::MYSQL_ATTR_SSL_CA] = Webtrees::ROOT_DIR . 'data/' . $dbca;
}
if ($dbkey !== '' && $dbcert !== '' && $dbca !== '') {
$options[PDO::MYSQL_ATTR_SSL_KEY] = Webtrees::ROOT_DIR . 'data/' . $dbkey;
$options[PDO::MYSQL_ATTR_SSL_CERT] = Webtrees::ROOT_DIR . 'data/' . $dbcert;
}Btw: I could not test the verify-option, if I remember correctly db-certificate was a self-signed one ;-)
fisharebest
commented
2 years ago Closed in 8447ecc48455c5fa8759225f11de90fd20ad71ba
I tried to encrypt the connection between Webtrees and the database - MariaDB in my case (https://mariadb.com/kb/en/securing-connections-for-client-and-server/). Unfortunately Webtrees doesn't seem to allow any kind of additional options for the database configuration. Is this correct, that it is currently not possible to enable TLS encryption to the database? As my database and the webserver are not running on the same host this would be really nice to have.