mir/kea
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/kea synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

[#3927] remove ssl-mode for mysql

Browse Source
This commit is contained in:
Razvan Becheriu 2025-07-09 18:09:37 +03:00
parent 3c8b1d4b8c
commit ad5a10aada
7 changed files with 18 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/examples/kea4/all-keys.json
View File

@ -509,9 +509,6 @@
// Private key file name.
"key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca",
// Cipher list (see the OpenSSL ciphers command manual).
"cipher-list": "AES",
@ -572,7 +569,10 @@
"cert-file": "my-cert",
// Private key file name.
"key-file": "my-key"
"key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca"
}
],

8
doc/examples/kea6/all-keys.json
View File

@ -451,9 +451,6 @@
// Private key file name.
"key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca",
// Cipher list (see the OpenSSL ciphers command manual).
"cipher-list": "AES",
@ -514,7 +511,10 @@
"cert-file": "my-cert",
// Private key file name.
"key-file": "my-key"
"key-file": "my-key",
// SSL mode.
"ssl-mode": "verify-ca"
}
],

15
doc/sphinx/arm/database-connectivity.rst
View File

@ -92,15 +92,12 @@ configurations too.
Currently the support for each database is:
- MySQL supports the whole set, additional configuration must be done
in the MySQL local setup, for instance certificate revocation list,
choice of a specific TLS version, mutual authentication, etc.
- MySQL supports the whole set, except ``ssl-mode``, additional configuration
must be done in the MySQL local setup, for instance certificate revocation
list, choice of a specific TLS version, mutual authentication, etc.
When a TLS connection was required but the actual connection is in
clear text an error log is emitted.
The ``ssl-mode`` values correspond to the MySQL values ``DISABLED``,
``PREFERRED``, ``REQUIRED``, ``VERIFY_CA`` and ``VERIFY_IDENTITY``
respectively.
- PostgreSQL supports the whole set, additional configuration must be
done in the client library (libpq). Anything else must be done in the
PostgreSQL local configuration.
- PostgreSQL supports the whole set, except ``cipher-list``, additional
configuration must be done in the client library (libpq). Anything else must
be done in the PostgreSQL local configuration.

1
src/hooks/dhcp/mysql/mysql_legal_log.h
View File

@ -97,7 +97,6 @@ public:
/// - trust-anchor
/// - cert-file
/// - key-file
/// - ssl-mode
/// - cipher-list (MySQL only)
/// - reconnect-wait-time
/// - max-reconnect-tries

2
src/hooks/dhcp/pgsql/pgsql_legal_log.h
View File

@ -96,7 +96,7 @@ public:
/// - trust-anchor
/// - cert-file
/// - key-file
/// - ssl-mode
/// - ssl-mode (PostgreSQL only)
/// - reconnect-wait-time
/// - max-reconnect-tries
/// - on-fail

4
src/lib/dhcpsrv/legal_log_mgr.h
View File

@ -105,7 +105,7 @@ public:
/// - trust-anchor
/// - cert-file
/// - key-file
/// - ssl-mode
/// - ssl-mode (PostgreSQL only)
/// - cipher-list (MySQL only)
/// - reconnect-wait-time
/// - max-reconnect-tries
@ -137,7 +137,7 @@ public:
/// - trust-anchor
/// - cert-file
/// - key-file
/// - ssl-mode
/// - ssl-mode (PostgreSQL only)
/// - cipher-list (MySQL only)
/// - reconnect-wait-time
/// - max-reconnect-tries

49
src/lib/mysql/mysql_connection.cc
View File

@ -131,15 +131,6 @@ MySqlConnection::openDatabase() {
isc_throw(DbInvalidTimeout, ex.what());
}
int ssl_mode(SSL_MODE_PREFERRED);
string ssslmode;
try {
ssslmode = getParameter("ssl-mode");
tls_ = true;
} catch (...) {
// No strict ssl mode
}
const char* ca_file(0);
const char* ca_dir(0);
string sca;
@ -151,9 +142,6 @@ MySqlConnection::openDatabase() {
} else {
ca_file = sca.c_str();
}
if (ssslmode.empty()) {
ssslmode = "verify-ca";
}
} catch (...) {
// No trust anchor
}
@ -279,27 +267,6 @@ MySqlConnection::openDatabase() {
if (result != 0) {
isc_throw(DbOpenError, "unable to set cipher: " << mysql_error(mysql_));
}
if (ssslmode.empty()) {
ssslmode = "require";
}
}
if (ssslmode == "disable") {
ssl_mode = SSL_MODE_DISABLED;
} else if (ssslmode == "prefer") {
ssl_mode = SSL_MODE_PREFERRED;
} else if (ssslmode == "require") {
ssl_mode = SSL_MODE_REQUIRED;
} else if (ssslmode == "verify-ca") {
ssl_mode = SSL_MODE_VERIFY_CA;
} else if (ssslmode == "verify-full") {
ssl_mode = SSL_MODE_VERIFY_IDENTITY;
}
result = mysql_options(mysql_, MYSQL_OPT_SSL_MODE, &ssl_mode);
if (result != 0) {
isc_throw(DbOpenError, "unable to set SSL mode: " << mysql_error(mysql_));
}
// Open the database.
@ -526,7 +493,7 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) {
vector<string> result{"mysql"};
for (auto const& p : params) {
string const& keyword(p.first);
string value(p.second);
string const& value(p.second);
// These Kea parameters are the same as the kea-admin parameters.
if (keyword == "user" ||
@ -539,20 +506,6 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) {
continue;
}
if (keyword == "ssl-mode") {
if (value == "disable") {
value = "DISABLED";
} else if (value == "prefer") {
value = "PREFERRED";
} else if (value == "require") {
value = "REQUIRED";
} else if (value == "verify-ca") {
value = "VERIFY_CA";
} else if (value == "verify-full") {
value = "VERIFY_IDENTITY";
}
}
// These Kea parameters do not have a direct kea-admin equivalent.
// But they do have a mariadb client flag equivalent.
// We pass them to kea-admin using the --extra flag.