Page MenuHomePhorge
Create Task
Maniphest T15045

Support SSL/TLS for MariaDB connections
Open, HighPublic
Actions

Description

We want to make all connections from our front end tools REQUIRE SSL in MariaDB (for TLS 1.2+) but Phabricator does not allow connecting to MariaDB using SSL/TLS

Can this be added?

Instructions for setting up MariaDB with secure connections
https://mariadb.com/kb/en/securing-connections-for-client-and-server/

Prior art: https://secure.phabricator.com/T6931 - marked "Wontfix".

Revisions and Commits

rP Phorge
DraftD25276 Add support for secure connections to the database

Related Objects

Event Timeline

RhinosF1 created this task.Sep 4 2021, 20:26
Herald added subscribers: chris, speck, tobiaswiese, eax. · View Herald TranscriptSep 4 2021, 20:26
speck updated the task description. (Show Details)Sep 4 2021, 20:34
speck added a comment.Sep 4 2021, 20:36

I'll try to look into feasibility of this later this week. Presumably it shouldn't be too difficult, adding a few configs to point to the certificate files and updating the DAO (I think is named Lisk?).

pasik subscribed.Sep 6 2021, 14:52
Labricator subscribed.Oct 24 2021, 19:40

Any progress on this? Consensus?

Ekubischta subscribed.Oct 25 2021, 13:04

@Labricator Could you propose and submit a revision?

Labricator added a comment.Oct 25 2021, 19:41

I’d definitely try, but it depends if we are using GitHub or command line git.

Ekubischta added a comment.Oct 25 2021, 23:01

I would use arc diff

goddenrich subscribed.Nov 25 2021, 15:29

Is there an update on this? we would love to see this feature soon

Labricator added a comment.Nov 25 2021, 17:40
In T15045#1613, @goddenrich wrote:

Is there an update on this? we would love to see this feature soon

Apologies about the wait. I am currently on a holiday, thus, will be unable to upload any patches for this month. I'll try to research this later. Again, apologies.

Bukkit subscribed.Nov 28 2021, 01:21
This comment was removed by Bukkit.
Cigaryno subscribed.Sep 15 2022, 18:15
avivey mentioned this in T15102: Implement SSL connection for database.Apr 6 2023, 09:57
avivey added subscribers: valerio.bozzolan, avivey.Apr 6 2023, 10:00

Merging T15102 here; cc @marting, @valerio.bozzolan.

avivey awarded a token.Apr 6 2023, 10:00
avivey removed a project: Config (archived).
Cigaryno merged a task: T15102: Implement SSL connection for database.Apr 6 2023, 10:01
Cigaryno added subscribers: martin, Matthew.
valerio.bozzolan added a comment.Apr 6 2023, 10:14
In T15045#1474, @Labricator wrote:

I’d definitely try, but it depends if we are using GitHub or command line git.

Do you have a local commit working?

If you don't like Arcanist, feel free to just do a pull request on GitHub and we will convert that to an Arcanist patch. For me this is just a matter of:

git clone your_branch
arc diff
avivey added a comment.Apr 6 2023, 10:16

If you don't like Arcanist, feel free to just do a pull request on GitHub and we will convert that to an Arcanist patch.

No, we don't want to do that.

Contributions to Phorge must be made here directly.

valerio.bozzolan added a comment.Apr 6 2023, 10:18

(By the way let's understand if this user has a local commit published somewhere) - thanks @Labricator for sharing this info

Cigaryno added a comment.Apr 6 2023, 10:22

We need a NO PULL REQUESTS! script. It reminds me in the old days people who says this in Phabricator in pull requests:

epriestley, please pull this!
I want you to add this:
<any kind of feature request>

In response, epriestley says:

NO PULL REQUESTS!
We do not accept pull requests. Please create a task in Phabricator.

avivey triaged this task as High priority.Jun 3 2023, 08:18

It's 2023, I think "not supporting TLS" should count as "high pri bug" now.

speck added a comment.Jun 3 2023, 21:35

Taking a stab at what it would look like in D25276: Add support for secure connections to the database. It's not tested at all yet but I think that's roughly the shape it would take. I haven't looked into how this would affect cluster environments but I think that is covered.

valerio.bozzolan added a revision: D25276: Add support for secure connections to the database.Jun 16 2023, 09:22
avivey updated the task description. (Show Details)Jul 19 2023, 05:58
speck added a comment.Jul 19 2023, 11:43

I picked this up again recently. I’m stuck on getting mariadb valid certificates it uses for connections, for testing my Phorge changes.

speck added a comment.EditedJul 22 2023, 04:11

I have this working now in https://we.phorge.it/D25276. I still have it marked as draft because there are some outstanding things that should be decided/addressed

  1. Whether client certificate should be configurable. Ideally this is something that would be configured in the php.ini rather than directly in phorge but at the moment I don't think it can be.
  2. Updating documentation to specify how to set up TLS/SSL. For database configurations there's now a use-tls flag which will require connecting to the database using TLS. Turning on TLS/SSL on the database we can probably provide pointers but it's left to the reader for determining that based on their database.
  3. Database clusters with master & replicas? I don't know how to set this up. Those changes might affect cluster dbs but I'm unsure and it's untested.

I welcome a review of the current state for initial feedback