Comments

JWSmith’s picture

FileSize
1.01 KB
PASSED: [[SimpleTest]]: [MySQL] 52,256 pass(es). View

Proposed additions supplied in attached patch file.

shrop’s picture

Status: Active » Needs review

Changing status to needs review

shrop’s picture

Issue tags: +Guardr
FileSize
1 KB
PASSED: [[SimpleTest]]: [MySQL] 52,231 pass(es). View

I manually applied the patch in #1 and it worked/looked fined except for one small misspelling. I corrected that and attached an updated patch to this comment.

I also use @JohnWSmith's method for setting up MySQL communications over SSL in the settings.php file. It works nicely. I think this documentation addition will raise awareness of this security related configuration. I would also like to see this in core so it is available without patching in the Guardr Drupal security distribution (At this time, inclusion in Guardr will require a 7.x backport.)

danblack’s picture

Issue summary: View changes

looks good here. Good work.

McGo’s picture

Patch from #3 applied successfully and looks good.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

tomthorp’s picture

I'm currently running Drupal 8.1.8 on a Fedora 24 server with the following configuration :
PHP 7.0.9
MariaDB 10.0.16
PHP-FPM
Apache 2.4.23

I have been able to create the SSL certificates for the CA, Server and Client, and have successfully tested connectivity via the MySQL client. However I have not been able to connect Drupal 8 to the MariaDB database via SSL . I have seen two different versions of the database configuration in settings.php on drupal.org, however both versions have been unsuccessful.

Scenario 1
=========
$databases['default']['default'] = array (
'database' => 'drupal8',
'username' => 'dbuserssh',
'password' => '****',
'prefix' => '',
'host' => '127.0.0.1',
'port' => '3306',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
'pdo' => array(
MYSQL_ATTR_SSL_KEY => '/sites/tomthorp_intnet/client-key.pem',
MYSQL_ATTR_SSL_CERT => '/sites/tomthorp_intnet/client-cert.pem',
MYSQL_ATTR_SSL_CA => '/sites/tomthorp_intnet/ca.pem',
),
);

yields ....

[13-Aug-2016 03:43:03 UTC] PDOException: SQLSTATE[HY000] [1045] Access denied for user 'dbuserssh'@'localhost' (using password: YES) in /usr/share/website/drupal/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php on line 79

Scenario 2
=========
$databases['default']['default'] = array (
'database' => 'drupal8',
'username' => 'dbuserssh',
'password' => '******',
'prefix' => '',
'host' => '127.0.0.1',
'port' => '3306',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
'pdo' => array(
PDO::MYSQL_ATTR_SSL_KEY => '/sites/tomthorp_intnet/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/sites/tomthorp_intnet/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/sites/tomthorp_intnet/ca.pem',
),
);

yields ....

[13-Aug-2016 03:36:27 UTC] PDOException: SQLSTATE[HY000] [2002] in /usr/share/website/drupal/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php on line 79

Has anyone been able to get SSL database connectivity to work in Drupal 8, as there appears to be plenty of examples of SSL working in Drupal 7. Any input would be much appreciated.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

cferthorney’s picture

Status: Needs review » Reviewed & tested by the community

This works on my Drupal 8 setup. Should we consider a "Backport to D7" tag?

shrop’s picture

Assigned: JWSmith » Unassigned
Issue tags: +needs backport to D7
DamienMcKenna’s picture

Status: Reviewed & tested by the community » Needs review
FileSize
1.08 KB

Rerolled, moved the word "the" to a previous line and changed the array to short syntax.

daffie’s picture

Status: Needs review » Needs work

The patch looks good, but I have some remarks:

  1. The setting of the pdo attributes works only for MySQL. I am missing that in the patch.
  2. With PostgreSQL you can require a SSL connection with the following setting:
     * @code
     * $databases['default']['default'] = array(
     *   'init_commands' => array(
     *     'sslmode' => 'require',
     *   ),
     * );
     * @endcode
    
  3. A SQLite database is always on the local machine so a SSL connection is not useful. Can we add this to the documentation.
gaurav.kapoor’s picture

Assigned: Unassigned » gaurav.kapoor
gaurav.kapoor’s picture

Assigned: gaurav.kapoor » Unassigned
Status: Needs work » Needs review
FileSize
1.4 KB
1.07 KB
gaurav.kapoor’s picture

Status: Needs review » Needs work

Please ignore that one.I will upload another patch.

gaurav.kapoor’s picture

Status: Needs work » Needs review
FileSize
1.77 KB
1.44 KB
Pavan B S’s picture

+++ b/sites/default/default.settings.php
@@ -193,6 +193,47 @@
+ * Advanced users can also specify MySQL database layer connection security using the

Line exceeding 80 characters
Applying the patch, please review.

daffie’s picture

Status: Needs review » Needs work

Looks better. Some remarks:

  1. +++ b/sites/default/default.settings.php
    @@ -193,6 +193,47 @@
    + * Now if you have the following settings in PostgreSQL:
    

    Can we change this to: "For requiring a SSL connection to a PostgreSQL database add:"

  2. +++ b/sites/default/default.settings.php
    @@ -193,6 +193,47 @@
    + * For PostgreSQL SSL connection use the following settings:
    + * @code
    + * 'pdo' => [
    + *   PGSQL_ATTR_SSL_KEY => '/path/to/ssl-cert.key',
    + *   PGSQL_ATTR_SSL_CERT => '/path/to/ssl-cert.crt',
    + *   PGSQL_ATTR_SSL_CA => '/path/to/ca-cert.crt',
    + *   // Optional
    + *   PGSQL_ATTR_SSL_CAPATH => '/ca/path',
    + *   PGSQL_ATTR_SSL_CIPHER => 'ssl cipher',
    + * ],
    + * @endcode
    + *
    

    There are no such PDO attributes for PostgreSQL

gaurav.kapoor’s picture

Thanks for review @daffie. Regarding 19.2 i also wasn't sure about them , saw that in some solutions on stackexchange. Does the MySQL way sufficient for postgresql as well.??

gaurav.kapoor’s picture

Status: Needs work » Needs review
FileSize
1.41 KB
950 bytes
daffie’s picture

Status: Needs review » Needs work
Issue tags: -Guardr

Looks good to me. Just one remark:

+++ b/sites/default/default.settings.php
@@ -193,6 +193,35 @@
+ * For SQLite database ssl connection settings are not required as it is
+ * only supported on localhost.

Can we change the text to: "SQLite databases do not support a SSL connection, because they only live on the localhost."

shrop’s picture

Issue tags: +Guardr

Adding Guardr tag back in. We use this for tracking issues related to the Guardr distro. Thanks!

daffie’s picture

@shrop: Sorry about removing the tag.

shrop’s picture

@daffie: No worries! Thanks for the help on this issue!

gaurav.kapoor’s picture

Status: Needs work » Needs review
FileSize
1.4 KB
563 bytes
daffie’s picture

Status: Needs review » Reviewed & tested by the community

Looks good to me.

@gaurav.kapoor: Thanks for working on this.

cilefen’s picture

Title: SSL PDO Connection Options » Document SSL PDO Connection Options
Category: Feature request » Task
Status: Reviewed & tested by the community » Needs work
Issue tags: +documentation

Thank you all for picking this one up. It is needed.

  1. +++ b/sites/default/default.settings.php
    @@ -193,6 +193,35 @@
    + * Advanced users can also specify MySQL database layer connection security
    + * using the'pdo' attribute for array as follows:
    

    "the'pdo'"

    I am not sure what "database layer" means in this context. It just seems confusing. Are we not talking about "network connection security"?

  2. +++ b/sites/default/default.settings.php
    @@ -193,6 +193,35 @@
    + * For requiring a SSL connection to a PostgreSQL database add:
    

    a/an

  3. +++ b/sites/default/default.settings.php
    @@ -193,6 +193,35 @@
    + * SQLite databases do not support a SSL connection, because they only
    + * live on the localhost.
    

    a/an, some text wrapping issues. I would suggest "...do not support SSL connections."

  4. +++ b/sites/default/default.settings.php
    @@ -193,6 +193,35 @@
    + * Any features supported by the PDO driver of the database can be put into
    + * the 'pdo' attribute array, as defined in the php documentation.
    + * @url http://php.net/manual/en/pdo.drivers.php
    

    "of the database" is not needed.

All in all, this patch needs work. It starts off by explaining that advanced users can do something with PDO for MySQL, then moves on to (seemingly) non-PDO instructions for Postgre, then discusses SQLite, then back to a general statement about PDO. So, the organization could be much improved.

gaurav.kapoor’s picture

Status: Needs work » Needs review
FileSize
1.38 KB

Fixed some of the points suggested in 28 and rearranged documentation contents.