mir/kea
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/kea synced 2025-08-23 02:17:33 +00:00
Code Issues Releases Wiki Activity

[#3927] remove ssl-mode for mysql

Browse Source
This commit is contained in:
Razvan Becheriu 2025-07-09 18:09:37 +03:00
parent 3c8b1d4b8c
commit ad5a10aada
7 changed files with 18 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/examples/kea4/all-keys.json
View File

@ -509,9 +509,6 @@
// Private key file name. // Private key file name.
"key-file": "my-key", "key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca",
// Cipher list (see the OpenSSL ciphers command manual). // Cipher list (see the OpenSSL ciphers command manual).
"cipher-list": "AES", "cipher-list": "AES",
@ -572,7 +569,10 @@
"cert-file": "my-cert", "cert-file": "my-cert",
// Private key file name. // Private key file name.
"key-file": "my-key" "key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca"
} }
], ],

8
doc/examples/kea6/all-keys.json
View File

@ -451,9 +451,6 @@
// Private key file name. // Private key file name.
"key-file": "my-key", "key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca",
// Cipher list (see the OpenSSL ciphers command manual). // Cipher list (see the OpenSSL ciphers command manual).
"cipher-list": "AES", "cipher-list": "AES",
@ -514,7 +511,10 @@
"cert-file": "my-cert", "cert-file": "my-cert",
// Private key file name. // Private key file name.
"key-file": "my-key" "key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca"
} }
], ],

15
doc/sphinx/arm/database-connectivity.rst
View File

@ -92,15 +92,12 @@ configurations too.
Currently the support for each database is: Currently the support for each database is:
- MySQL supports the whole set, additional configuration must be done - MySQL supports the whole set, except ``ssl-mode``, additional configuration
in the MySQL local setup, for instance certificate revocation list, must be done in the MySQL local setup, for instance certificate revocation
choice of a specific TLS version, mutual authentication, etc. list, choice of a specific TLS version, mutual authentication, etc.
When a TLS connection was required but the actual connection is in When a TLS connection was required but the actual connection is in
clear text an error log is emitted. clear text an error log is emitted.
The ``ssl-mode`` values correspond to the MySQL values ``DISABLED``,
``PREFERRED``, ``REQUIRED``, ``VERIFY_CA`` and ``VERIFY_IDENTITY``
respectively.
- PostgreSQL supports the whole set, additional configuration must be - PostgreSQL supports the whole set, except ``cipher-list``, additional
done in the client library (libpq). Anything else must be done in the configuration must be done in the client library (libpq). Anything else must
PostgreSQL local configuration. be done in the PostgreSQL local configuration.

1
src/hooks/dhcp/mysql/mysql_legal_log.h
View File

@ -97,7 +97,6 @@ public:
/// - trust-anchor /// - trust-anchor
/// - cert-file /// - cert-file
/// - key-file /// - key-file
/// - ssl-mode
/// - cipher-list (MySQL only) /// - cipher-list (MySQL only)
/// - reconnect-wait-time /// - reconnect-wait-time
/// - max-reconnect-tries /// - max-reconnect-tries

2
src/hooks/dhcp/pgsql/pgsql_legal_log.h
View File

@ -96,7 +96,7 @@ public:
/// - trust-anchor /// - trust-anchor
/// - cert-file /// - cert-file
/// - key-file /// - key-file
/// - ssl-mode /// - ssl-mode (PostgreSQL only)
/// - reconnect-wait-time /// - reconnect-wait-time
/// - max-reconnect-tries /// - max-reconnect-tries
/// - on-fail /// - on-fail

4
src/lib/dhcpsrv/legal_log_mgr.h
View File

@ -105,7 +105,7 @@ public:
/// - trust-anchor /// - trust-anchor
/// - cert-file /// - cert-file
/// - key-file /// - key-file
/// - ssl-mode /// - ssl-mode (PostgreSQL only)
/// - cipher-list (MySQL only) /// - cipher-list (MySQL only)
/// - reconnect-wait-time /// - reconnect-wait-time
/// - max-reconnect-tries /// - max-reconnect-tries
@ -137,7 +137,7 @@ public:
/// - trust-anchor /// - trust-anchor
/// - cert-file /// - cert-file
/// - key-file /// - key-file
/// - ssl-mode /// - ssl-mode (PostgreSQL only)
/// - cipher-list (MySQL only) /// - cipher-list (MySQL only)
/// - reconnect-wait-time /// - reconnect-wait-time
/// - max-reconnect-tries /// - max-reconnect-tries

49
src/lib/mysql/mysql_connection.cc
View File

@ -131,15 +131,6 @@ MySqlConnection::openDatabase() {
isc_throw(DbInvalidTimeout, ex.what()); isc_throw(DbInvalidTimeout, ex.what());
} }
int ssl_mode(SSL_MODE_PREFERRED);
string ssslmode;
try {
ssslmode = getParameter("ssl-mode");
tls_ = true;
} catch (...) {
// No strict ssl mode
}
const char* ca_file(0); const char* ca_file(0);
const char* ca_dir(0); const char* ca_dir(0);
string sca; string sca;
@ -151,9 +142,6 @@ MySqlConnection::openDatabase() {
} else { } else {
ca_file = sca.c_str(); ca_file = sca.c_str();
} }
if (ssslmode.empty()) {
ssslmode = "verify-ca";
}
} catch (...) { } catch (...) {
// No trust anchor // No trust anchor
} }
@ -279,27 +267,6 @@ MySqlConnection::openDatabase() {
if (result != 0) { if (result != 0) {
isc_throw(DbOpenError, "unable to set cipher: " << mysql_error(mysql_)); isc_throw(DbOpenError, "unable to set cipher: " << mysql_error(mysql_));
} }
if (ssslmode.empty()) {
ssslmode = "require";
}
}
if (ssslmode == "disable") {
ssl_mode = SSL_MODE_DISABLED;
} else if (ssslmode == "prefer") {
ssl_mode = SSL_MODE_PREFERRED;
} else if (ssslmode == "require") {
ssl_mode = SSL_MODE_REQUIRED;
} else if (ssslmode == "verify-ca") {
ssl_mode = SSL_MODE_VERIFY_CA;
} else if (ssslmode == "verify-full") {
ssl_mode = SSL_MODE_VERIFY_IDENTITY;
}
result = mysql_options(mysql_, MYSQL_OPT_SSL_MODE, &ssl_mode);
if (result != 0) {
isc_throw(DbOpenError, "unable to set SSL mode: " << mysql_error(mysql_));
} }
// Open the database. // Open the database.
@ -526,7 +493,7 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) {
vector<string> result{"mysql"}; vector<string> result{"mysql"};
for (auto const& p : params) { for (auto const& p : params) {
string const& keyword(p.first); string const& keyword(p.first);
string value(p.second); string const& value(p.second);
// These Kea parameters are the same as the kea-admin parameters. // These Kea parameters are the same as the kea-admin parameters.
if (keyword == "user" || if (keyword == "user" ||
@ -539,20 +506,6 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) {
continue; continue;
} }
if (keyword == "ssl-mode") {
if (value == "disable") {
value = "DISABLED";
} else if (value == "prefer") {
value = "PREFERRED";
} else if (value == "require") {
value = "REQUIRED";
} else if (value == "verify-ca") {
value = "VERIFY_CA";
} else if (value == "verify-full") {
value = "VERIFY_IDENTITY";
}
}
// These Kea parameters do not have a direct kea-admin equivalent. // These Kea parameters do not have a direct kea-admin equivalent.
// But they do have a mariadb client flag equivalent. // But they do have a mariadb client flag equivalent.
// We pass them to kea-admin using the --extra flag. // We pass them to kea-admin using the --extra flag.