Request to add SSL to MySQL Connect for cacti

[GoogleCodeExporter]

What version of the product are you using? On what operating system?
better-cacti-templates-1.1.5, CentOS 5

Please provide any additional information below.
I'd like to connect to MySQL over ssl. Would you consider adding the
necessary client variables for cert, etc. to handle this? The minimum items
needed for command line mysql are:
--ssl=TRUE|FALSE
--ssl-ca=<PATH>
--ssl-cert=<PATH>
--ssl-key=<PATH>

Or perhaps allow a mysql defaults file to be specified?

Thanks,

Jeff

Original issue reported on code.google.com by bikes...@gmail.com on 16 Dec 2009 at 12:20

[GoogleCodeExporter]

I looked into this a bit. It turns out you have to use php's mysqli (mysql 
improved)
to get ssl to work. mysqli seems to be included by default in the distros, but 
it's
buggy in the default CentOS 5 version, so it has to be upgraded to 5.2x (or at 
least
beyond php-5.1.6) to work. Other than that, it's pretty simple if you already 
had ssl
working.

This is pretty rough. I'm sure you can make it look much better ;)

In three easy changes!
1) Add an item for an external mysql style cnf file
2) Change the connection string to use mysqli.
3) Change the query wrapper to use mysqli too.

Here's the diff:
diff ss_get_mysql_stats.php ss_get_mysql_stats.php.bak
42d41
< $mysql_ssl_cnf = 'myssl.cnf'; # MySQL style cnf file with SSL items filled in.
248,256c247,250
<   $conn = mysqli_init();
<                 if (!$conn) {
<                 die('mysqli_init failed');
<                 }
<   mysqli_options($conn,MYSQLI_READ_DEFAULT_FILE,'$mysql_ssl_cnf'); 
<         if (!mysqli_real_connect($conn, $host_str, $user, $pass, '')) {
<         die('Connect Error (' . mysqli_connect_errno() . ') '
<                 . mysqli_connect_error());
<         }
---
>    $conn = @mysql_connect($host_str, $user, $pass);
>    if ( !$conn ) {
>       die("MySQL: " . mysql_error());
>    }
1050c1044
<    $result = mysqli_query($conn, $sql);
---
>    $result = @mysql_query($sql, $conn);
1052c1046
<       $error = mysqli_error($conn);
---
>       $error = @mysql_error($conn);
1059c1053
<    while ( $row = mysqli_fetch_array($result) ) {
---
>    while ( $row = @mysql_fetch_array($result) ) {

Example ssl.cnf:
[client]
ssl-cert=/var/www/cacti/scripts/tls/cert.pem
ssl-key=/var/www/cacti/scripts/tls/key.pem
ssl-ca=/var/www/cacti/scripts/tls/cacert.pem

Here are some things that I'd like to add but don't know how.
1) Re-use the connection. It seems to open three connections over the course of 
the
stats gathering queries.
2) Check for mysqli and fall back to mysql if not available

Let me know what you think.

Jeff

Original comment by bikes...@gmail.com on 16 Dec 2009 at 11:06

[GoogleCodeExporter]

Jeff, I'm a little hesitant to add this as it is, because I think it'll add
complexity and possibly add bugs that wouldn't turn up until the next release.  
Alas,
this would be hard to test :-(  From what I see, we would need to do at least 
the
following:

- add a command-line option and config variable for --use-ssl
- add a command-line option for the ssl-conf file
- add a command-line option and config variable for mysql vs mysqli
- add an if/then to open either a mysql or mysqli connection
- add/update wiki documentation

I've added you as an SVN committer, so if you would like to make and commit 
those
changes that'd be great.

Original comment by baron.schwartz on 25 Dec 2009 at 10:33

• Changed state: Accepted

[GoogleCodeExporter]

This works out of the box in CentOS 5.2:

mysql_connect($server, $user, $pass, false, MYSQL_CLIENT_SSL)

I've been doing it for a while without question so I verified with tcpdump and 
SHOW 
STATUS LIKE 'Ssl_cipher';. The only configuration was my.cnf on the server:

+   ssl-ca=/etc/mysql/ca-cert.pem
+   ssl-cert=/etc/mysql/server-cert.pem
+   ssl-key=/etc/mysql/server-key.pem

I'm sure I haven't touched php.ini on the client.

Original comment by AndrewHa...@gmail.com on 28 Dec 2009 at 1:41

[GoogleCodeExporter]

This issue was closed by revision r452.

Original comment by baron.schwartz on 21 Mar 2010 at 3:58

• Changed state: Fixed

[GoogleCodeExporter]

I've adopted the solution suggested in comment 3, with absolutely no testing.

Original comment by baron.schwartz on 21 Mar 2010 at 3:59