Support for MySQL and SSL Connections #8049
Conversation
| $sslkey = null; | ||
| } else { | ||
| $sslkey = $this->_config['sslkey']; | ||
| } |
There was a problem hiding this comment.
I would reformate this and the following if/else statements as it's shorter and easier to read:
$sslkey = null;
if (!empty($this->_config['sslkey'])) {
$sslkey = $this->_config['sslkey'];
}
|
Hi @ktroska and thanks for this nice Pull request! Feedback:
|
|
Hi @mattab Thx for feedback.
Something like this:
I think something like that? Notice I think of adding underscores for all options for better visibility in both options and code.
code is done and tested I will merge it when we decide about global.ini.php content and underscores
really first time I see this I will take a look and let you know if I can manage this, but since I started I want to make it to the end :)
I am thinking of integrating this into installer like SSL on and upload a ssl cert, the problem is there is no (i can think about) safe way to upload and store client key file if it is required, Or just FAQ info like this:
Also we can do a test to check ssl support in connection like: |
|
Another feedback: we should report to the user whether the secure connection works or not:
|
it is easier to read 👍
sounds good
Great. Automated testing is a powerful amazing concept for software development :-) Some pointers
thanks for suggestion but it's not needed. FAQ will be good enough to document this feature.
It's still useful if Piwik lets user know whether the connection is done over SSL. See my previous comment about System check. Finally:
|
Well since I did mysqli first i did not notice that Pdo can be easily done in piwik/core/Db/Adapter/Pdo/Mysql.php. So no Zend modification for this. If it comes to Mysqli.... we need to call mysqli_ssl_set() between mysqli_init() and @mysqli_real_connect()
I started working on it based on LoadDataInfileCheck.php after work and some sleep I think I will have it ready.
I got general idea now to coding. I can't thank you enough for sticking with me. 👍 But Thank you. |
mattab
added
the
Pull Request WIP
|
I am now working on the automated testing, I will try to make it tomorrow (European time) but i am not sure if I will make it. |
| 1013 => null, // 1013 = PDO::MYSQL_ATTR_SSL_CAPATH | ||
| 1011 => null, // 1011 = PDO::MYSQL_ATTR_SSL_CERT | ||
| 1014 => null, // 1014 = PDO::MYSQL_ATTR_SSL_CIPHER | ||
| 1010 => null, // 1015 = PDO::MYSQL_ATTR_SSL_KEY |
There was a problem hiding this comment.
- the comment says
1015but code says1010 - maybe we could use these const directly instead of numeric values (in case they later change) eg.
PDO::MYSQL_ATTR_SSL_CIPHER(if they are defined/available)
|
@ktroska it looks good. I left more comments. once you manage to add the automated test, it should be ready (or almost)! |
|
I have done test but i am not sure if it is ok, it was sure fun to learn something new and usefull. Test: |
|
@ktroska as you can see in the Travis CI output for the job, the tests are failing: https://travis-ci.org/piwik/piwik/jobs/66525061 Here is how the test should work:
Result:
As mentioned our CI runs on both PDO and Mysqli so this test(s) will automatically run on both. |
|
I have learned one thing from earlier testes, that constants in PDO have different values depending on build we have. So I changed the code to only use PDO constants or set values (those 1010-1014) only when using mysqli in case we don't have PDO support. Those values work on my system and they can fail on any others so we can make them very high or change them to something different. Since we are using SSL based constants from PDO this will require PHP 5.3.7 ( http://php.net/manual/en/ref.pdo-mysql.php#pdo-mysql.constants ) this can't(?) be worked around when using PDO driver. I wanted to do mysqli call easier and PDO compatible that's why I am using PDO constants values for mysqli, they can be changed to any other but it needs to be done in 3 places if you think its a good way changing it to some specially set values not PDO compatible than I can change it quickly.
|
| $cipher = Db::fetchRow("show status like 'Ssl_cipher'"); | ||
| $this->assertNotEmpty($cipher['Value']); | ||
| } else { | ||
| $this->isTrue(true); |
There was a problem hiding this comment.
either mark it true or mark it skipped with message like "enable_ssl = 0, test skipped"
|
After some thinking:
|
|
Hi @ktroska We are still interested to have Mysql and SSL support in Piwik and this PR is very promising. What work is left to do in your opinion? if you need some help feel free to ask. Looking forward to having this one merged sometime :-) |
|
@ktroska it would be possible to merge this Pull request in Piwik 3.0.0 - let us know if you are still interested 👍 |
mattab
changed the title
|
Closing the pull request as the work has stalled - it would be awesome if someone would finish this nice work! |
|
Apologies for asking a question on a closed PR, but could @mattab (or someone else) clarify if Piwik 3.2.0 supports secure connections to its MySQL database? If so, what are the SSL (or otherwise) configuration parameters, please? |
|
@RafalLukawiecki no it's not implemented yet. See #7039 |
|
@RafalLukawiecki what we need is support from a developer in the community to finish this PR. we can re-open the PR if anyone will continue work on it 👍 |
|
This pull request has been mentioned on Piwik forums. There might be relevant details there: https://forum.piwik.org/t/force-mysql-connection-to-use-ssl/9447/3 |
* Mysql SSL connection support from pull request #8049 * updated minified js * Add ssl_no_verify config option for skipping certificate verification (works only on some PHP setups). * Remove TODO comment from DbOverSSLCheck diagnostic, will create issue. * Skip test if SSL is not enabled * Undo changes to piwik.js for tests. * Tweak to DbSSLTest.
…o-org#10866) * Mysql SSL connection support from pull request matomo-org#8049 * updated minified js * Add ssl_no_verify config option for skipping certificate verification (works only on some PHP setups). * Remove TODO comment from DbOverSSLCheck diagnostic, will create issue. * Skip test if SSL is not enabled * Undo changes to piwik.js for tests. * Tweak to DbSSLTest.
Hello,
My first ever open source pull request I am beginner but I use Piwik in work and want to make it even better, so please be nice but say if I did it wrong and how I should fix it.
I added the support of ssl for mysqli Adapter. From my point the needed options are ssl-ca and ssl-capath but this can vary on different platforms.
It would be nice to note that mysqli will silently fall back to non ssl connection if server don't support ssl.
Pls. let me know if this will be good, if yes i can think about adding options for sql settings to installer.
MYSQLI_CLIENT_SSL in mysqli_real_connect is completely optional but would be nice to have it in case there will be some changes in mysqli.
fixes #7039