Implemented Add MySQLi SSL support

cursey

Member
MySQLi supports database connections over SSL but XenForo doesn't (from what I can tell). Adding support for this should be simple. Just add a few config.php options then make the necessary changes to \XF\Db\Mysqli\Adapter::makeConnection from what I can gather.

Any reason why this isn't already a feature? I can't setup XenForo to use a managed digitalocean database without the SSL support, and it seems like it would be a good thing for security in general.
 
Last edited:
Upvote 2
This suggestion has been implemented. Votes are no longer accepted.
We have made changes to the next XF release to allow mysqli to be configured with the relevant SSL settings.

The following database config keys are now supported (default values depicted):
PHP:
$config['db']['ssl']['enabled'] = false; // Enable/disable SSL support 
$config['db']['ssl']['key'] = null; // The path name to the key file.
$config['db']['ssl']['cert'] = null; // The path name to the certificate file.
$config['db']['ssl']['ca'] = null; // The path name to the certificate authority file.
$config['db']['ssl']['capth'] = null; // The pathname to a directory that contains trusted SSL CA certificates in PEM format.
$config['db']['ssl']['cipher'] = null; // A list of allowable ciphers to use for SSL encryption.
Many of these config values aren't required (hence the default value of null). An Azure hosted MySQL database for example just requires:
PHP:
$config['db']['ssl']['enabled'] = true;
$config['db']['ssl']['ca'] = 'BaltimoreCyberTrustRoot.crt.pem';
The exact configuration required may vary from server to server.
 
We have made changes to the next XF release to allow mysqli to be configured with the relevant SSL settings.

The following database config keys are now supported (default values depicted):
PHP:
$config['db']['ssl']['enabled'] = false; // Enable/disable SSL support
$config['db']['ssl']['key'] = null; // The path name to the key file.
$config['db']['ssl']['cert'] = null; // The path name to the certificate file.
$config['db']['ssl']['ca'] = null; // The path name to the certificate authority file.
$config['db']['ssl']['capth'] = null; // The pathname to a directory that contains trusted SSL CA certificates in PEM format.
$config['db']['ssl']['cipher'] = null; // A list of allowable ciphers to use for SSL encryption.
Many of these config values aren't required (hence the default value of null). An Azure hosted MySQL database for example just requires:
PHP:
$config['db']['ssl']['enabled'] = true;
$config['db']['ssl']['ca'] = 'BaltimoreCyberTrustRoot.crt.pem';
The exact configuration required may vary from server to server.
Banging my Head against a wall here. Fresh new Install on focal Server with php7.4

I can connect just fine with mysql -u -p -h10.0.0.150 -e 'status',
--------------
mysql Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id: 84
Current database:
Current user: xforo@xenforo.lxd
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.5.8-MariaDB-1:10.5.8+maria~focal mariadb.org binary distribution
Protocol version: 10
Connection: 10.0.0.150 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 35 min 4 sec

Threads: 4 Questions: 81 Slow queries: 0 Opens: 31 Open tables: 25 Queries per second avg: 0.038

but i get thrown an Exception in Adapter.php line 165 when i run sudo -u www-data php cmd.php xf:install
Tried with moving the certs into the src folder since i do not get much info what went wrong.
On the mariadb Server i see no errors just the authentication fail.

Any pointers would be much appreciated.
 
Back
Top Bottom