SSL/TLS Support

[davisuga]

I'm getting the following error while trying to connect to my mariadb server: Failed to connect to : Error 1105, unknown error: Code: UNAVAILABLE\nserver does not allow insecure connections, client must use SSL/TLS\n.")

Does Caqti supports SSL/TLS? If yes, how do I configure it?

[paurkedal]

The MariaDB library will normally use TLS if available, however there are some TLS options which are currently not supported by Caqti. This involves the path to trusted CA certificates and ciphers, which are thus restricted to the defaults. I'm not sure what is the case, but if the server is using a self-signed or locally signed certificate, it may therefore need to be included in the system default CAs. Also libmariadb can be compiled without a TLS library, but that's unlikely if shipped by a distribution.

It would be good in any case to support the MariaDB TLS options (somehow, since it seems inappropriate to pass the CA path as an URL parameter, which is the only means currently of configuring a connection).

[davisuga]

Got it, thanks for the response. I'm using PlanetScale for hosting, will check if there is a way to disable this option.

[davisuga]

I ended up using ocaml-mariadb :/

[paurkedal]

Caqti is using ocaml-mariadb when talking to a MariaDB or MySQL server, so I assume you passed some options to make it work? It would be good to know which options you needed, so that I can add support for them.

[davisuga]

Yes, I'm using ~options:[ Ssl_ca "/etc/ssl/certs/ca-certificates.crt" ]

[paurkedal]

That makes sense. Thanks!

[paurkedal]

I just pushed a change which makes Caqti load settings from the default MariaDB configuration file from a section [caqti] (by default, can be adjusted with an URL parameter). That should make it possible to set TLS parameters, as long as the options file can be used. I haven't planned the next release yet, but if this is useful I can make a release on request.