From 3195dd0db073925983e214c908daaf13f8298ddf Mon Sep 17 00:00:00 2001 From: bpatath Date: Fri, 22 May 2020 00:22:31 +0200 Subject: [PATCH 1/3] Add SSL configuration for MySQL --- .env.example | 10 ++++++++++ config/database.php | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/.env.example b/.env.example index 98d7bbc963..f3536bedeb 100644 --- a/.env.example +++ b/.env.example @@ -65,6 +65,16 @@ DB_DATABASE=firefly DB_USERNAME=firefly DB_PASSWORD=secret_firefly_password +# MySQL supports SSL. You can configure it here. +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +MYSQL_SSL_MODE=prefer +MYSQL_SSL_ROOT_CERT_PATH= +MYSQL_SSL_ROOT_CERT= +MYSQL_SSL_CERT= +MYSQL_SSL_KEY= +MYSQL_SSL_CIPHER= +MYSQL_SSL_VERIFY= + # PostgreSQL supports SSL. You can configure it here. # If you use Docker or similar, you can set these variables from a file by appending them with _FILE PGSQL_SSL_MODE=prefer diff --git a/config/database.php b/config/database.php index 3ec1f3e55b..425a28962d 100644 --- a/config/database.php +++ b/config/database.php @@ -39,6 +39,24 @@ if (!(false === $databaseUrl)) { $database = substr($options['path'] ?? '/firefly', 1); } +/* + * Get SSL parameters from .env file. + */ +$mysql_ssl_ca_dir = envNonEmpty('MYSQL_SSL_ROOT_CERT_PATH', null); +$mysql_ssl_ca_file = envNonEmpty('MYSQL_SSL_ROOT_CERT', null); +$mysql_ssl_cert = envNonEmpty('MYSQL_SSL_CERT', null); +$mysql_ssl_key = envNonEmpty('MYSQL_SSL_KEY', null); +$mysql_ssl_ciphers = envNonEmpty('MYSQL_SSL_CIPHER', null); +$mysql_ssl_verify = envNonEmpty('MYSQL_SSL_VERIFY', null); + +$mysql_ssl_options = []; +if ($mysql_ssl_ca_dir !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CAPATH ] = $mysql_ssl_ca_dir; +if ($mysql_ssl_ca_file !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CA ] = $mysql_ssl_ca_file; +if ($mysql_ssl_cert !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CERT ] = $mysql_ssl_cert; +if ($mysql_ssl_key !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_KEY ] = $mysql_ssl_key; +if ($mysql_ssl_ciphers !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CIPHER ] = $mysql_ssl_ciphers; +if ($mysql_ssl_verify !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $mysql_ssl_verify; + return [ 'default' => envNonEmpty('DB_CONNECTION', 'pgsql'), 'connections' => [ @@ -60,6 +78,8 @@ return [ 'prefix' => '', 'strict' => true, 'engine' => 'InnoDB', + 'sslmode' => envNonEmpty('MYSQL_SSL_MODE', 'prefer'), + 'options' => $mysql_ssl_options, ], 'pgsql' => [ 'driver' => 'pgsql', From f427267f5b78fff3d15d4ffbc060c9c2fba057c8 Mon Sep 17 00:00:00 2001 From: bpatath Date: Sat, 23 May 2020 23:16:48 +0200 Subject: [PATCH 2/3] Add SSL configuration for LDAP --- .env.example | 8 ++++++++ config/ldap.php | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/.env.example b/.env.example index f3536bedeb..1210610742 100644 --- a/.env.example +++ b/.env.example @@ -180,8 +180,16 @@ ADLDAP_PORT=389 ADLDAP_TIMEOUT=5 ADLDAP_BASEDN="" ADLDAP_FOLLOW_REFFERALS=false + +# SSL/TLS settings ADLDAP_USE_SSL=false ADLDAP_USE_TLS=false +ADLDAP_SSL_CACERTDIR= +ADLDAP_SSL_CACERTFILE= +ADLDAP_SSL_CERTFILE= +ADLDAP_SSL_KEYFILE= +ADLDAP_SSL_CIPHER_SUITE= +ADLDAP_SSL_REQUIRE_CERT= # You can set the following variables from a file by appending them with _FILE: ADLDAP_ADMIN_USERNAME= diff --git a/config/ldap.php b/config/ldap.php index 13e18bd41b..1c4c57da8b 100644 --- a/config/ldap.php +++ b/config/ldap.php @@ -38,6 +38,24 @@ if ('ActiveDirectory' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { $schema = ActiveDirectory::class; } +/* + * Get SSL parameters from .env file. + */ +$ssl_ca_dir = envNonEmpty('ADLDAP_SSL_CACERTDIR', null); +$ssl_ca_file = envNonEmpty('ADLDAP_SSL_CACERTFILE', null); +$ssl_cert = envNonEmpty('ADLDAP_SSL_CERTFILE', null); +$ssl_key = envNonEmpty('ADLDAP_SSL_KEYFILE', null); +$ssl_ciphers = envNonEmpty('ADLDAP_SSL_CIPHER_SUITE', null); +$ssl_require = envNonEmpty('ADLDAP_SSL_REQUIRE_CERT', null); + +$ssl_options = []; +if ($ssl_ca_dir !== null) $ssl_options[LDAP_OPT_X_TLS_CACERTDIR ] = $ssl_ca_dir; +if ($ssl_ca_file !== null) $ssl_options[LDAP_OPT_X_TLS_CACERTFILE ] = $ssl_ca_file; +if ($ssl_cert !== null) $ssl_options[LDAP_OPT_X_TLS_CERTFILE ] = $ssl_cert; +if ($ssl_key !== null) $ssl_options[LDAP_OPT_X_TLS_KEYFILE ] = $ssl_key; +if ($ssl_ciphers !== null) $ssl_options[LDAP_OPT_X_TLS_CIPHER_SUITE] = $ssl_ciphers; +if ($ssl_require !== null) $ssl_options[LDAP_OPT_X_TLS_REQUIRE_CERT] = $ssl_require; + return [ /* |-------------------------------------------------------------------------- @@ -254,6 +272,7 @@ return [ 'use_ssl' => env('ADLDAP_USE_SSL', false), 'use_tls' => env('ADLDAP_USE_TLS', false), + 'custom_options' => $ssl_options, ], ], From 8aa7776072109256482f714c76f37eb1c7b2a572 Mon Sep 17 00:00:00 2001 From: bpatath Date: Wed, 27 May 2020 11:08:15 +0200 Subject: [PATCH 3/3] Replace unnused MySQL SSL mode --- .env.example | 9 +++++---- config/database.php | 27 ++++++++++++++------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/.env.example b/.env.example index 1210610742..2a7503d5cd 100644 --- a/.env.example +++ b/.env.example @@ -67,13 +67,14 @@ DB_PASSWORD=secret_firefly_password # MySQL supports SSL. You can configure it here. # If you use Docker or similar, you can set these variables from a file by appending them with _FILE -MYSQL_SSL_MODE=prefer -MYSQL_SSL_ROOT_CERT_PATH= -MYSQL_SSL_ROOT_CERT= +MYSQL_USE_SSL=false +MYSQL_SSL_VERIFY_SERVER_CERT=true +# You need to set at least of these options +MYSQL_SSL_CAPATH=/etc/ssl/certs/ +MYSQL_SSL_CA= MYSQL_SSL_CERT= MYSQL_SSL_KEY= MYSQL_SSL_CIPHER= -MYSQL_SSL_VERIFY= # PostgreSQL supports SSL. You can configure it here. # If you use Docker or similar, you can set these variables from a file by appending them with _FILE diff --git a/config/database.php b/config/database.php index 425a28962d..948bb3c1fa 100644 --- a/config/database.php +++ b/config/database.php @@ -42,20 +42,22 @@ if (!(false === $databaseUrl)) { /* * Get SSL parameters from .env file. */ -$mysql_ssl_ca_dir = envNonEmpty('MYSQL_SSL_ROOT_CERT_PATH', null); -$mysql_ssl_ca_file = envNonEmpty('MYSQL_SSL_ROOT_CERT', null); -$mysql_ssl_cert = envNonEmpty('MYSQL_SSL_CERT', null); -$mysql_ssl_key = envNonEmpty('MYSQL_SSL_KEY', null); -$mysql_ssl_ciphers = envNonEmpty('MYSQL_SSL_CIPHER', null); -$mysql_ssl_verify = envNonEmpty('MYSQL_SSL_VERIFY', null); +$mysql_ssl_ca_dir = envNonEmpty('MYSQL_SSL_CAPATH', null); +$mysql_ssl_ca_file = envNonEmpty('MYSQL_SSL_CA', null); +$mysql_ssl_cert = envNonEmpty('MYSQL_SSL_CERT', null); +$mysql_ssl_key = envNonEmpty('MYSQL_SSL_KEY', null); +$mysql_ssl_ciphers = envNonEmpty('MYSQL_SSL_CIPHER', null); +$mysql_ssl_verify = envNonEmpty('MYSQL_SSL_VERIFY_SERVER_CERT', null); $mysql_ssl_options = []; -if ($mysql_ssl_ca_dir !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CAPATH ] = $mysql_ssl_ca_dir; -if ($mysql_ssl_ca_file !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CA ] = $mysql_ssl_ca_file; -if ($mysql_ssl_cert !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CERT ] = $mysql_ssl_cert; -if ($mysql_ssl_key !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_KEY ] = $mysql_ssl_key; -if ($mysql_ssl_ciphers !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CIPHER ] = $mysql_ssl_ciphers; -if ($mysql_ssl_verify !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $mysql_ssl_verify; +if (!(false === envNonEmpty('MYSQL_USE_SSL', false))) { + if ($mysql_ssl_ca_dir !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CAPATH ] = $mysql_ssl_ca_dir; + if ($mysql_ssl_ca_file !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CA ] = $mysql_ssl_ca_file; + if ($mysql_ssl_cert !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CERT ] = $mysql_ssl_cert; + if ($mysql_ssl_key !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_KEY ] = $mysql_ssl_key; + if ($mysql_ssl_ciphers !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CIPHER ] = $mysql_ssl_ciphers; + if ($mysql_ssl_verify !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $mysql_ssl_verify; +} return [ 'default' => envNonEmpty('DB_CONNECTION', 'pgsql'), @@ -78,7 +80,6 @@ return [ 'prefix' => '', 'strict' => true, 'engine' => 'InnoDB', - 'sslmode' => envNonEmpty('MYSQL_SSL_MODE', 'prefer'), 'options' => $mysql_ssl_options, ], 'pgsql' => [