From 84e48d03238ce2446e7ea24401bda0a8f4e4422d Mon Sep 17 00:00:00 2001 From: Dimitris Kamenopoulos Date: Sun, 27 Dec 2015 16:01:43 +1300 Subject: [PATCH] Bug 15427 : Enable TLS support for MySQL In summary, changes are: 1) If you have chosen MySQL, Makefile.PL will ask you if you want TLS (default: "no"), and then the locations for CA cert, client cert and client key (reasonable defaults are provided). Settings , , and are added in koha-conf.xml 2) If yes in koha-conf.xml, the installer and database connection scripts add the TLS options in both DBI connection strings and mysql command line To test 1/ Apply patch 2/ Check everything still works and db connections are the same as before 3/ Either run Makefile.PL and step through the options or edit your koha-conf.xml to enable TLS 4/ Check db connections are still working Patch provided to me by Dimitris Kamenopoulos and I reformatted it into a git patch, any errors are probably mine Signed-off-by: Mirko Tietgen Signed-off-by: Jonathan Druart Signed-off-by: Kyle M Hall --- C4/Installer.pm | 12 ++++++++++-- Koha/Database.pm | 12 +++++++++++- Makefile.PL | 26 ++++++++++++++++++++++++++ etc/koha-conf.xml | 4 ++++ installer/install.pl | 15 +++++++++++++-- rewrite-config.PL | 6 +++++- 6 files changed, 69 insertions(+), 6 deletions(-) diff --git a/C4/Installer.pm b/C4/Installer.pm index bd1b150b42..e8692a1afa 100644 --- a/C4/Installer.pm +++ b/C4/Installer.pm @@ -75,8 +75,17 @@ sub new { $self->{'port'} = C4::Context->config("port"); $self->{'user'} = C4::Context->config("user"); $self->{'password'} = C4::Context->config("pass"); + $self->{'tls'} = C4::Context->config("tls"); + if ($self->{'tls'} eq 'yes'){ + $self->{'ca'} = C4::Context->config('ca'); + $self->{'cert'} = C4::Context->config('cert'); + $self->{'key'} = C4::Context->config('key'); + $self->{'tlsoptions'} = ";mysql_ssl=1;mysql_ssl_client_key=".$self->{key}.";mysql_ssl_client_cert=".$self->{cert}.";mysql_ssl_ca_file=".$self->{ca}; + $self->{'tlscmdline'} = " --ssl-cert ". $self->{cert} . " --ssl-key " . $self->{key} . " --ssl-ca ".$self->{ca}." " + } $self->{'dbh'} = DBI->connect("DBI:$self->{dbms}:dbname=$self->{dbname};host=$self->{hostname}" . - ( $self->{port} ? ";port=$self->{port}" : "" ), + ( $self->{port} ? ";port=$self->{port}" : "" ). + ( $self->{tlsoptions} ? $self->{tlsoptions} : ""), $self->{'user'}, $self->{'password'}); $self->{'language'} = undef; $self->{'marcflavour'} = undef; @@ -454,7 +463,6 @@ sub load_sql { if( $dup_stderr ) { warn "C4::Installer::load_sql returned the following errors while attempting to load $filename:\n"; $error = $dup_stderr; - } return $error; diff --git a/Koha/Database.pm b/Koha/Database.pm index 6f72559b6b..c5b2b73b8a 100644 --- a/Koha/Database.pm +++ b/Koha/Database.pm @@ -58,6 +58,16 @@ sub _new_schema { my $db_port = $context->config("port") || ''; my $db_user = $context->config("user"); my $db_passwd = $context->config("pass"); + my $tls = $context->config("tls"); + my $tls_options; + if ($tls eq 'yes'){ + my $ca = $context->config('ca'); + my $cert = $context->config('cert'); + my $key = $context->config('key'); + $tls_options = ";mysql_ssl=1;mysql_ssl_client_key=".$key.";mysql_ssl_client_cert=".$cert.";mysql_ssl_ca_file=".$ca; + } + + my ( %encoding_attr, $encoding_query, $tz_query ); my $tz = $ENV{TZ}; @@ -72,7 +82,7 @@ sub _new_schema { } my $schema = Koha::Schema->connect( { - dsn => "dbi:$db_driver:database=$db_name;host=$db_host;port=$db_port", + dsn => "dbi:$db_driver:database=$db_name;host=$db_host;port=$db_port".($tls_options? $tls_options : ""), user => $db_user, password => $db_passwd, %encoding_attr, diff --git a/Makefile.PL b/Makefile.PL index 594b691e69..b9b4918689 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -456,6 +456,10 @@ my %config_defaults = ( 'DB_NAME' => 'koha', 'DB_USER' => 'kohaadmin', 'DB_PASS' => 'katikoan', + 'DB_USE_TLS' => 'no', + 'DB_TLS_CA_CERTIFICATE' => '/etc/mysql-ssl/server-ca.pem', + 'DB_TLS_CLIENT_CERTIFICATE' => '/etc/mysql-ssl/client-cert.pem', + 'DB_TLS_CLIENT_KEY' => '/etc/mysql-ssl/client-key.pem', 'INSTALL_SRU' => 'yes', 'INSTALL_PAZPAR2' => 'no', 'AUTH_INDEX_MODE' => 'dom', @@ -502,6 +506,7 @@ else { my %valid_config_values = ( 'INSTALL_MODE' => { 'standard' => 1, 'single' => 1, 'dev' => 1 }, 'DB_TYPE' => { 'mysql' => 1, 'Pg' => 1 }, + 'DB_USE_TLS' => {'yes', 'no'}, 'INSTALL_SRU' => { 'yes' => 1, 'no' => 1 }, 'AUTH_INDEX_MODE' => { 'grs1' => 1, 'dom' => 1 }, 'BIB_INDEX_MODE' => { 'grs1' => 1, 'dom' => 1 }, @@ -1032,6 +1037,27 @@ DMBS); Please specify the name of the database to be used by Koha); $config{'DB_NAME'} = _get_value('DB_NAME', $msg, $defaults->{'DB_NAME'}, $valid_values, $install_log_values); + if ($config{'DB_TYPE'} eq 'mysql'){ + $msg = q( +Please specify whether the connection to MySQL will use TLS + ); + $config{'DB_USE_TLS'} = _get_value('DB_USE_TLS', $msg, $defaults->{'DB_USE_TLS'}, $valid_values, $install_log_values); + } + if ($config{'DB_USE_TLS'} eq 'yes'){ + $msg = q( +Please enter the path to the CA certificate for TLS + ); + $config{'DB_TLS_CA_CERTIFICATE'} = _get_value('DB_TLS_CA_CERTIFICATE', $msg, $defaults->{'DB_TLS_CA_CERTIFICATE'}, $valid_values, $install_log_values); + + $msg = q( +Please enter the path to the client certificate for TLS + ); + $config{'DB_TLS_CLIENT_CERTIFICATE'} = _get_value('DB_TLS_CLIENT_CERTIFICATE', $msg, $defaults->{'DB_TLS_CLIENT_CERTIFICATE'}, $valid_values, $install_log_values); + $msg = q( +Please enter the path to the client key for TLS + ); + $config{'DB_TLS_CLIENT_KEY'} = _get_value('DB_TLS_CLIENT_KEY', $msg, $defaults->{'DB_TLS_CLIENT_KEY'}, $valid_values, $install_log_values); + } $msg = q( Please specify the user that owns the database to be diff --git a/etc/koha-conf.xml b/etc/koha-conf.xml index 1e5c7997c8..4ccee3a4a1 100644 --- a/etc/koha-conf.xml +++ b/etc/koha-conf.xml @@ -82,6 +82,10 @@ __PAZPAR2_TOGGLE_XML_POST__ __DB_PORT__ __DB_USER__ __DB_PASS__ + __DB_USE_TLS__ + __DB_TLS_CA_CERTIFICATE__ + __DB_TLS_CLIENT_CERTIFICATE__ + __DB_TLS_CLIENT_KEY__ biblios 1 authorities diff --git a/installer/install.pl b/installer/install.pl index 10b642292a..fdeef0c2e4 100755 --- a/installer/install.pl +++ b/installer/install.pl @@ -48,9 +48,19 @@ $info{'hostname'} = C4::Context->config("hostname"); $info{'port'} = C4::Context->config("port"); $info{'user'} = C4::Context->config("user"); $info{'password'} = C4::Context->config("pass"); +$info{'tls'} = C4::Context->config("tls"); + if ($info{'tls'} eq 'yes'){ + $info{'ca'} = C4::Context->config('ca'); + $info{'cert'} = C4::Context->config('cert'); + $info{'key'} = C4::Context->config('key'); + $info{'tlsoptions'} = ";mysql_ssl=1;mysql_ssl_client_key=".$info{key}.";mysql_ssl_client_cert=".$info{cert}.";mysql_ssl_ca_file=".$info{ca}; + $info{'tlscmdline'} = " --ssl-cert ". $info{cert} . " --ssl-key " . $info{key} . " --ssl-ca ".$info{ca}." " + } + my $dbh = DBI->connect( "DBI:$info{dbms}:dbname=$info{dbname};host=$info{hostname}" - . ( $info{port} ? ";port=$info{port}" : "" ), + . ( $info{port} ? ";port=$info{port}" : "" ) + . ( $info{tlsoptions} ? $info{tlsoptions} : "" ), $info{'user'}, $info{'password'} ); @@ -370,7 +380,8 @@ elsif ( $step && $step == 3 ) { #I put it there because it implied a data import if condition was not satisfied. my $dbh = DBI->connect( "DBI:$info{dbms}:dbname=$info{dbname};host=$info{hostname}" - . ( $info{port} ? ";port=$info{port}" : "" ), + . ( $info{port} ? ";port=$info{port}" : "" ) + . ( $info{tlsoptions} ? $info{tlsoptions} : "" ), $info{'user'}, $info{'password'} ); my $rq; diff --git a/rewrite-config.PL b/rewrite-config.PL index a66b119b94..d827106d93 100644 --- a/rewrite-config.PL +++ b/rewrite-config.PL @@ -44,7 +44,7 @@ The following configuration keywords are available: PREFIX, BASE_DIR, CGI_DIR, LOG_DIR, PLUGINS_DIR, INSTALL_BASE, -DB_TYPE, DB_HOST, DB_PORT, DB_NAME, DB_PASS, DB_USER, WEBMASTER_EMAIL, WEBSERVER_DOMAIN, +DB_TYPE, DB_HOST, DB_PORT, DB_NAME, DB_PASS, DB_USER, DB_USE_TLS, DB_TLS_CA_CERT, DB_TLS_CLIENT_KEY, DB_TLS_CLIENT_CERT, WEBMASTER_EMAIL, WEBSERVER_DOMAIN, WEBSERVER_HOST, WEBSERVER_IP, WEBSERVER_PORT, WEBSERVER_PORT_LIBRARIAN, ZEBRA_PASS, ZEBRA_USER =head1 EXAMPLES @@ -89,6 +89,10 @@ $prefix = $ENV{'INSTALL_BASE'} || "/usr"; "__DB_PORT__" => "3306", "__DB_USER__" => "kohaadmin", "__DB_PASS__" => "katikoan", + "__DB_USE_TLS__" => "no", + "__DB_TLS_CA_CERTIFICATE__" => "", + "__DB_TLS_CLIENT_CERTIFICATE__" => "", + "__DB_TLS_CLIENT_KEY__"=>"", "__WEBMASTER_EMAIL__" => 'webmaster@'.$mydomain, "__WEBSERVER_DOMAIN__" => $mydomain, "__WEBSERVER_HOST__" => $myhost, -- 2.39.5