Page MenuHomePhorge

Support SSL/TLS for MariaDB connections
Open, HighPublic

Description

We want to make all connections from our front end tools REQUIRE SSL in MariaDB (for TLS 1.2+) but Phabricator does not allow connecting to MariaDB using SSL/TLS

Can this be added?


Instructions for setting up MariaDB with secure connections
https://mariadb.com/kb/en/securing-connections-for-client-and-server/


Prior art: https://secure.phabricator.com/T6931 - marked "Wontfix".

Revisions and Commits

Event Timeline

I'll try to look into feasibility of this later this week. Presumably it shouldn't be too difficult, adding a few configs to point to the certificate files and updating the DAO (I think is named Lisk?).

I’d definitely try, but it depends if we are using GitHub or command line git.

Is there an update on this? we would love to see this feature soon

Is there an update on this? we would love to see this feature soon

Apologies about the wait. I am currently on a holiday, thus, will be unable to upload any patches for this month. I'll try to research this later. Again, apologies.

This comment was removed by Bukkit.

I’d definitely try, but it depends if we are using GitHub or command line git.

Do you have a local commit working?

If you don't like Arcanist, feel free to just do a pull request on GitHub and we will convert that to an Arcanist patch. For me this is just a matter of:

git clone your_branch
arc diff

If you don't like Arcanist, feel free to just do a pull request on GitHub and we will convert that to an Arcanist patch.

No, we don't want to do that.

Contributions to Phorge must be made here directly.

(By the way let's understand if this user has a local commit published somewhere) - thanks @Labricator for sharing this info

We need a NO PULL REQUESTS! script. It reminds me in the old days people who says this in Phabricator in pull requests:

epriestley, please pull this!
I want you to add this:
<any kind of feature request>

In response, epriestley says:

NO PULL REQUESTS!
We do not accept pull requests. Please create a task in Phabricator.

avivey triaged this task as High priority.Jun 3 2023, 08:18

It's 2023, I think "not supporting TLS" should count as "high pri bug" now.

Taking a stab at what it would look like in D25276: Add support for secure connections to the database. It's not tested at all yet but I think that's roughly the shape it would take. I haven't looked into how this would affect cluster environments but I think that is covered.

I picked this up again recently. I’m stuck on getting mariadb valid certificates it uses for connections, for testing my Phorge changes.

I have this working now in https://we.phorge.it/D25276. I still have it marked as draft because there are some outstanding things that should be decided/addressed

  1. Whether client certificate should be configurable. Ideally this is something that would be configured in the php.ini rather than directly in phorge but at the moment I don't think it can be.
  2. Updating documentation to specify how to set up TLS/SSL. For database configurations there's now a use-tls flag which will require connecting to the database using TLS. Turning on TLS/SSL on the database we can probably provide pointers but it's left to the reader for determining that based on their database.
  3. Database clusters with master & replicas? I don't know how to set this up. Those changes might affect cluster dbs but I'm unsure and it's untested.

I welcome a review of the current state for initial feedback

I have reviewed it and made some comments. On a remotely related topic, TLS handshakes are expensive and persistent connections can reduce latency and server load by reusing TLS connections, so maybe we should make it configurable outside of cluster.databases as well.