diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json index 8c68c42e48..5d4b48529c 100644 --- a/doc/examples/kea4/all-keys.json +++ b/doc/examples/kea4/all-keys.json @@ -509,9 +509,6 @@ // Private key file name. "key-file": "my-key", - // SSL mode. - "ssl-mode": "verify-ca", - // Cipher list (see the OpenSSL ciphers command manual). "cipher-list": "AES", @@ -572,7 +569,10 @@ "cert-file": "my-cert", // Private key file name. - "key-file": "my-key" + "key-file": "my-key", + + // SSL mode. + "ssl-mode": "verify-ca" } ], diff --git a/doc/examples/kea6/all-keys.json b/doc/examples/kea6/all-keys.json index 2be34cf655..cc4e1a943f 100644 --- a/doc/examples/kea6/all-keys.json +++ b/doc/examples/kea6/all-keys.json @@ -451,9 +451,6 @@ // Private key file name. "key-file": "my-key", - // SSL mode. - "ssl-mode": "verify-ca", - // Cipher list (see the OpenSSL ciphers command manual). "cipher-list": "AES", @@ -514,7 +511,10 @@ "cert-file": "my-cert", // Private key file name. - "key-file": "my-key" + "key-file": "my-key", + + // SSL mode. + "ssl-mode": "verify-ca" } ], diff --git a/doc/sphinx/arm/database-connectivity.rst b/doc/sphinx/arm/database-connectivity.rst index 309b72a6a1..7087dc0ce4 100644 --- a/doc/sphinx/arm/database-connectivity.rst +++ b/doc/sphinx/arm/database-connectivity.rst @@ -92,15 +92,12 @@ configurations too. Currently the support for each database is: -- MySQL supports the whole set, additional configuration must be done - in the MySQL local setup, for instance certificate revocation list, - choice of a specific TLS version, mutual authentication, etc. +- MySQL supports the whole set, except ``ssl-mode``, additional configuration + must be done in the MySQL local setup, for instance certificate revocation + list, choice of a specific TLS version, mutual authentication, etc. When a TLS connection was required but the actual connection is in clear text an error log is emitted. - The ``ssl-mode`` values correspond to the MySQL values ``DISABLED``, - ``PREFERRED``, ``REQUIRED``, ``VERIFY_CA`` and ``VERIFY_IDENTITY`` - respectively. -- PostgreSQL supports the whole set, additional configuration must be - done in the client library (libpq). Anything else must be done in the - PostgreSQL local configuration. +- PostgreSQL supports the whole set, except ``cipher-list``, additional + configuration must be done in the client library (libpq). Anything else must + be done in the PostgreSQL local configuration. diff --git a/src/hooks/dhcp/mysql/mysql_legal_log.h b/src/hooks/dhcp/mysql/mysql_legal_log.h index 3a60fdb70d..1cc01ba1cd 100644 --- a/src/hooks/dhcp/mysql/mysql_legal_log.h +++ b/src/hooks/dhcp/mysql/mysql_legal_log.h @@ -97,7 +97,6 @@ public: /// - trust-anchor /// - cert-file /// - key-file - /// - ssl-mode /// - cipher-list (MySQL only) /// - reconnect-wait-time /// - max-reconnect-tries diff --git a/src/hooks/dhcp/pgsql/pgsql_legal_log.h b/src/hooks/dhcp/pgsql/pgsql_legal_log.h index ffbd876c27..d5b2183bb0 100644 --- a/src/hooks/dhcp/pgsql/pgsql_legal_log.h +++ b/src/hooks/dhcp/pgsql/pgsql_legal_log.h @@ -96,7 +96,7 @@ public: /// - trust-anchor /// - cert-file /// - key-file - /// - ssl-mode + /// - ssl-mode (PostgreSQL only) /// - reconnect-wait-time /// - max-reconnect-tries /// - on-fail diff --git a/src/lib/dhcpsrv/legal_log_mgr.h b/src/lib/dhcpsrv/legal_log_mgr.h index 96b6823fa5..17314f574b 100644 --- a/src/lib/dhcpsrv/legal_log_mgr.h +++ b/src/lib/dhcpsrv/legal_log_mgr.h @@ -105,7 +105,7 @@ public: /// - trust-anchor /// - cert-file /// - key-file - /// - ssl-mode + /// - ssl-mode (PostgreSQL only) /// - cipher-list (MySQL only) /// - reconnect-wait-time /// - max-reconnect-tries @@ -137,7 +137,7 @@ public: /// - trust-anchor /// - cert-file /// - key-file - /// - ssl-mode + /// - ssl-mode (PostgreSQL only) /// - cipher-list (MySQL only) /// - reconnect-wait-time /// - max-reconnect-tries diff --git a/src/lib/mysql/mysql_connection.cc b/src/lib/mysql/mysql_connection.cc index 8d4667183e..ba7006d64d 100644 --- a/src/lib/mysql/mysql_connection.cc +++ b/src/lib/mysql/mysql_connection.cc @@ -131,15 +131,6 @@ MySqlConnection::openDatabase() { isc_throw(DbInvalidTimeout, ex.what()); } - int ssl_mode(SSL_MODE_PREFERRED); - string ssslmode; - try { - ssslmode = getParameter("ssl-mode"); - tls_ = true; - } catch (...) { - // No strict ssl mode - } - const char* ca_file(0); const char* ca_dir(0); string sca; @@ -151,9 +142,6 @@ MySqlConnection::openDatabase() { } else { ca_file = sca.c_str(); } - if (ssslmode.empty()) { - ssslmode = "verify-ca"; - } } catch (...) { // No trust anchor } @@ -279,27 +267,6 @@ MySqlConnection::openDatabase() { if (result != 0) { isc_throw(DbOpenError, "unable to set cipher: " << mysql_error(mysql_)); } - - if (ssslmode.empty()) { - ssslmode = "require"; - } - } - - if (ssslmode == "disable") { - ssl_mode = SSL_MODE_DISABLED; - } else if (ssslmode == "prefer") { - ssl_mode = SSL_MODE_PREFERRED; - } else if (ssslmode == "require") { - ssl_mode = SSL_MODE_REQUIRED; - } else if (ssslmode == "verify-ca") { - ssl_mode = SSL_MODE_VERIFY_CA; - } else if (ssslmode == "verify-full") { - ssl_mode = SSL_MODE_VERIFY_IDENTITY; - } - - result = mysql_options(mysql_, MYSQL_OPT_SSL_MODE, &ssl_mode); - if (result != 0) { - isc_throw(DbOpenError, "unable to set SSL mode: " << mysql_error(mysql_)); } // Open the database. @@ -526,7 +493,7 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) { vector result{"mysql"}; for (auto const& p : params) { string const& keyword(p.first); - string value(p.second); + string const& value(p.second); // These Kea parameters are the same as the kea-admin parameters. if (keyword == "user" || @@ -539,20 +506,6 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) { continue; } - if (keyword == "ssl-mode") { - if (value == "disable") { - value = "DISABLED"; - } else if (value == "prefer") { - value = "PREFERRED"; - } else if (value == "require") { - value = "REQUIRED"; - } else if (value == "verify-ca") { - value = "VERIFY_CA"; - } else if (value == "verify-full") { - value = "VERIFY_IDENTITY"; - } - } - // These Kea parameters do not have a direct kea-admin equivalent. // But they do have a mariadb client flag equivalent. // We pass them to kea-admin using the --extra flag.