From 65d56c05c5048313c5db9d49a234bd0ae8599e85 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 17:06:18 +0100 Subject: [PATCH 01/26] Enable TLS connections in Mysqli driver --- src/Mysqli/MysqliDriver.php | 77 ++++++++++++++++++++++++++++++++++++- 1 file changed, 76 insertions(+), 1 deletion(-) diff --git a/src/Mysqli/MysqliDriver.php b/src/Mysqli/MysqliDriver.php index c4451f932..31bd89f2f 100644 --- a/src/Mysqli/MysqliDriver.php +++ b/src/Mysqli/MysqliDriver.php @@ -124,6 +124,18 @@ public function __construct(array $options) $options['socket'] = $options['socket'] ?? null; $options['utf8mb4'] = isset($options['utf8mb4']) ? (bool) $options['utf8mb4'] : false; $options['sqlModes'] = isset($options['sqlModes']) ? (array) $options['sqlModes'] : $sqlModes; + $options['ssl'] = isset($options['ssl']) ? $options['ssl'] : []; + + if ($options['ssl'] !== []) + { + $options['ssl']['enable'] = isset($options['ssl']['enable']) ? $options['ssl']['enable'] : false; + $options['ssl']['cipher'] = isset($options['ssl']['cipher']) ? $options['ssl']['cipher'] : null; + $options['ssl']['ca'] = isset($options['ssl']['ca']) ? $options['ssl']['ca'] : null; + $options['ssl']['capath'] = isset($options['ssl']['capath']) ? $options['ssl']['capath'] : null; + $options['ssl']['key'] = isset($options['ssl']['key']) ? $options['ssl']['key'] : null; + $options['ssl']['cert'] = isset($options['ssl']['cert']) ? $options['ssl']['cert'] : null; + $options['ssl']['verify_server_cert'] = isset($options['ssl']['verify_server_cert']) ? $options['ssl']['verify_server_cert'] : null; + } // Finalize initialisation. parent::__construct($options); @@ -211,9 +223,50 @@ public function connect() $this->connection = mysqli_init(); + $connectionFlags = 0; + + // For SSL/TLS connection encryption. + if ($this->options['ssl'] !== [] && $this->options['ssl']['enable'] === true) + { + $connectionFlags += MYSQLI_CLIENT_SSL; + + // Verify server certificate is only availble in PHP 5.6.16+. See https://www.php.net/ChangeLog-5.php#5.6.16 + if (isset($this->options['ssl']['verify_server_cert'])) + { + // New constants in PHP 5.6.16+. See https://www.php.net/ChangeLog-5.php#5.6.16 + if ($this->options['ssl']['verify_server_cert'] === true && defined('MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT')) + { + $connectionFlags += MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT; + } + elseif ($this->options['ssl']['verify_server_cert'] === false && defined('MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT')) + { + $connectionFlags += MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; + } + elseif (defined('MYSQLI_OPT_SSL_VERIFY_SERVER_CERT')) + { + $this->connection->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, $this->options['ssl']['verify_server_cert']); + } + } + + // Add SSL/TLS options only if changed. + $this->connection->ssl_set( + $this->options['ssl']['key'], + $this->options['ssl']['cert'], + $this->options['ssl']['ca'], + $this->options['ssl']['capath'], + $this->options['ssl']['cipher'] + ); + } + // Attempt to connect to the server, use error suppression to silence warnings and allow us to throw an Exception separately. $connected = @$this->connection->real_connect( - $this->options['host'], $this->options['user'], $this->options['password'], null, $this->options['port'], $this->options['socket'] + $this->options['host'], + $this->options['user'], + $this->options['password'], + null, + $this->options['port'], + $this->options['socket'], + $connectionFlags ); if (!$connected) @@ -408,6 +461,28 @@ public function getConnectionCollation() return $this->setQuery('SELECT @@collation_connection;')->loadResult(); } + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + * @throws \RuntimeException + */ + public function getConnectionEncryption(): string + { + $this->connect(); + + $variables = $this->setQuery('SHOW SESSION STATUS WHERE `Variable_name` IN (\'Ssl_version\', \'Ssl_cipher\')')->loadObjectList('Variable_name'); + + if (!empty($variables['Ssl_cipher']->Value)) + { + return $variables['Ssl_version']->Value . ' (' . $variables['Ssl_cipher']->Value . ')'; + } + + return ''; + } + /** * Return the query string to create new Database. * From 0d331d33c13270d7e9a117e32642d68393b0bd11 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 17:08:00 +0100 Subject: [PATCH 02/26] Enable TLS connections in PDO Mysql driver --- src/Mysql/MysqlDriver.php | 62 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index 057190a84..30439b378 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -103,6 +103,18 @@ public function __construct(array $options) $options['driver'] = 'mysql'; $options['charset'] = $options['charset'] ?? 'utf8'; $options['sqlModes'] = isset($options['sqlModes']) ? (array) $options['sqlModes'] : $sqlModes; + $options['ssl'] = isset($options['ssl']) ? $options['ssl'] : []; + + if ($options['ssl'] !== []) + { + $options['ssl']['enable'] = isset($options['ssl']['enable']) ? $options['ssl']['enable'] : false; + $options['ssl']['cipher'] = isset($options['ssl']['cipher']) ? $options['ssl']['cipher'] : null; + $options['ssl']['ca'] = isset($options['ssl']['ca']) ? $options['ssl']['ca'] : null; + $options['ssl']['capath'] = isset($options['ssl']['capath']) ? $options['ssl']['capath'] : null; + $options['ssl']['key'] = isset($options['ssl']['key']) ? $options['ssl']['key'] : null; + $options['ssl']['cert'] = isset($options['ssl']['cert']) ? $options['ssl']['cert'] : null; + $options['ssl']['verify_server_cert'] = isset($options['ssl']['verify_server_cert']) ? $options['ssl']['verify_server_cert'] : null; + } $this->charset = $options['charset']; @@ -132,6 +144,34 @@ public function connect() return; } + // For SSL/TLS connection encryption. + if ($this->options['ssl'] !== [] && $this->options['ssl']['enable'] === true) + { + $tlsContextIsNull = true; + + // If costumized, add ciphersuit, ca file path, ca path, private key file path and certificate file path to PDO driver options. + foreach (['cipher', 'ca', 'capath', 'key', 'cert'] as $key => $value) + { + if ($this->options['ssl'][$value] !== null) + { + $this->options['driverOptions'][constant('\PDO::MYSQL_ATTR_SSL_' . strtoupper($value))] = $this->options['ssl'][$value]; + $tlsContextIsNull = false; + } + } + + // In PDO, if no cipher, ca, capath, cert and key are set, we can't start TLS one-way encryption, so set a ciphersuit with common ciphers to force it. + if ($tlsContextIsNull === true) + { + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = 'AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-CBC-SHA256:AES256-CBC-SHA384:DES-CBC3-SHA'; + } + + // If costumized, for capable systems (PHP 7.0.14+ or PHP 7.1.4+) add flag to verify server certificate (along with Common Name) to PDO driver options. + if ($this->options['ssl']['verify_server_cert'] !== null && defined('\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')) + { + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $this->options['ssl']['verify_server_cert']; + } + } + try { // Try to connect to MySQL @@ -296,6 +336,28 @@ public function getConnectionCollation() return $this->setQuery('SELECT @@collation_connection;')->loadResult(); } + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + * @throws \RuntimeException + */ + public function getConnectionEncryption(): string + { + $this->connect(); + + $variables = $this->setQuery('SHOW SESSION STATUS WHERE `Variable_name` IN (\'Ssl_version\', \'Ssl_cipher\')')->loadObjectList('Variable_name'); + + if (!empty($variables['Ssl_cipher']->Value)) + { + return $variables['Ssl_version']->Value . ' (' . $variables['Ssl_cipher']->Value . ')'; + } + + return ''; + } + /** * Return the query string to create new Database. * From 06a93968f3091a8da092635af763b2aa993c0ff4 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 17:51:50 +0100 Subject: [PATCH 03/26] Add getConnectionEncryption to interface --- src/DatabaseInterface.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/DatabaseInterface.php b/src/DatabaseInterface.php index 11c6b35d2..f09850c06 100644 --- a/src/DatabaseInterface.php +++ b/src/DatabaseInterface.php @@ -140,6 +140,15 @@ public function getConnection(); */ public function getConnectionCollation(); + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + */ + public function getConnectionEncryption(): string; + /** * Get the total number of SQL statements executed by the database driver. * From 5e73c2a3db8599a76052c60c225f28afdc4906a0 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 18:22:39 +0100 Subject: [PATCH 04/26] Add getConnectionEncryption() empty method to SqlLite Driver --- src/Sqlite/SqliteDriver.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/Sqlite/SqliteDriver.php b/src/Sqlite/SqliteDriver.php index f7c4f5bde..f2d89681d 100644 --- a/src/Sqlite/SqliteDriver.php +++ b/src/Sqlite/SqliteDriver.php @@ -168,6 +168,20 @@ public function getConnectionCollation() return $this->charset; } + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + * @throws \RuntimeException + */ + public function getConnectionEncryption(): string + { + // TODO: Not fake this + return ''; + } + /** * Shows the table CREATE statement that creates the given tables. * From 4502c647f42ffe8e1e55d952126661cb86fdc3b8 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 18:22:46 +0100 Subject: [PATCH 05/26] Add getConnectionEncryption() empty method to Sqlsrv Driver --- src/Sqlsrv/SqlsrvDriver.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/Sqlsrv/SqlsrvDriver.php b/src/Sqlsrv/SqlsrvDriver.php index aaabea81f..ea5f2b92c 100644 --- a/src/Sqlsrv/SqlsrvDriver.php +++ b/src/Sqlsrv/SqlsrvDriver.php @@ -354,6 +354,20 @@ public function getConnectionCollation() return 'MSSQL UTF-8 (UCS2)'; } + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + * @throws \RuntimeException + */ + public function getConnectionEncryption(): string + { + // TODO: Not fake this + return ''; + } + /** * Retrieves field information about the given tables. * From c50fe4eb0f55bbf6e69cca2f0b8a0ef409e73633 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 18:24:42 +0100 Subject: [PATCH 06/26] @andrepereiradasilva Add getConnectionEncryption() empty method to Pgsql Driver --- src/Pgsql/PgsqlDriver.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/Pgsql/PgsqlDriver.php b/src/Pgsql/PgsqlDriver.php index 04b165b3e..4208b65c5 100644 --- a/src/Pgsql/PgsqlDriver.php +++ b/src/Pgsql/PgsqlDriver.php @@ -133,6 +133,20 @@ public function getConnectionCollation() return $array[0]['lc_collate']; } + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + * @throws \RuntimeException + */ + public function getConnectionEncryption(): string + { + // TODO: Not fake this + return ''; + } + /** * Shows the table CREATE statement that creates the given tables. * From 233f2ee778d6cfa1344cd7017da638796cdb472d Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 18:40:33 +0100 Subject: [PATCH 07/26] Add getConnectionEncryption() method to NoSQL Driver test --- Tests/Stubs/nosqldriver.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Tests/Stubs/nosqldriver.php b/Tests/Stubs/nosqldriver.php index b4115c2d1..e8384c87c 100644 --- a/Tests/Stubs/nosqldriver.php +++ b/Tests/Stubs/nosqldriver.php @@ -214,6 +214,19 @@ public function getConnectionCollation() return false; } + /** + * Method to get the database encryption details (cipher and protocol) in use. + * + * @return string The database encryption details. + * + * @since __DEPLOY_VERSION__ + * @throws \RuntimeException + */ + public function getConnectionEncryption(): string + { + return ''; + } + /** * Get the number of returned rows for the previous executed SQL statement. * From 829aa6bcfca952b2391ee5bdeac6e23e09255604 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 18:45:01 +0100 Subject: [PATCH 08/26] Add getConnectionEncryption methos to driver mock --- Tests/Mock/Driver.php | 1 + 1 file changed, 1 insertion(+) diff --git a/Tests/Mock/Driver.php b/Tests/Mock/Driver.php index 44f44d3ca..b5aec54c1 100644 --- a/Tests/Mock/Driver.php +++ b/Tests/Mock/Driver.php @@ -48,6 +48,7 @@ public static function create(TestCase $test, $nullDate = '0000-00-00 00:00:00', 'getAffectedRows', 'getCollation', 'getConnectionCollation', + 'getConnectionEncryption', 'getConnectors', 'getDateFormat', 'getInstance', From 55f1fbc5e2f76c465f02f175a9d10d8c16ab4df3 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 18:55:35 +0100 Subject: [PATCH 09/26] cs line size ... --- src/Mysqli/MysqliDriver.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Mysqli/MysqliDriver.php b/src/Mysqli/MysqliDriver.php index 31bd89f2f..1267d12df 100644 --- a/src/Mysqli/MysqliDriver.php +++ b/src/Mysqli/MysqliDriver.php @@ -473,7 +473,8 @@ public function getConnectionEncryption(): string { $this->connect(); - $variables = $this->setQuery('SHOW SESSION STATUS WHERE `Variable_name` IN (\'Ssl_version\', \'Ssl_cipher\')')->loadObjectList('Variable_name'); + $variables = $this->setQuery('SHOW SESSION STATUS WHERE `Variable_name` IN (\'Ssl_version\', \'Ssl_cipher\')') + ->loadObjectList('Variable_name'); if (!empty($variables['Ssl_cipher']->Value)) { From 367784f2d7a085fa6ca11fbe3933bb32b2715453 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 19:01:33 +0100 Subject: [PATCH 10/26] cs line size ... --- src/Mysql/MysqlDriver.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index 30439b378..b10d9fa52 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -159,13 +159,19 @@ public function connect() } } - // In PDO, if no cipher, ca, capath, cert and key are set, we can't start TLS one-way encryption, so set a ciphersuit with common ciphers to force it. + // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suit to force it. if ($tlsContextIsNull === true) { - $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = 'AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-CBC-SHA256:AES256-CBC-SHA384:DES-CBC3-SHA'; + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', [ + 'AES128-GCM-SHA256', + 'AES256-GCM-SHA384', + 'AES128-CBC-SHA256', + 'AES256-CBC-SHA384', + 'DES-CBC3-SHA', + ]); } - // If costumized, for capable systems (PHP 7.0.14+ or PHP 7.1.4+) add flag to verify server certificate (along with Common Name) to PDO driver options. + // If costumized, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. if ($this->options['ssl']['verify_server_cert'] !== null && defined('\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')) { $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $this->options['ssl']['verify_server_cert']; @@ -348,7 +354,8 @@ public function getConnectionEncryption(): string { $this->connect(); - $variables = $this->setQuery('SHOW SESSION STATUS WHERE `Variable_name` IN (\'Ssl_version\', \'Ssl_cipher\')')->loadObjectList('Variable_name'); + $variables = $this->setQuery('SHOW SESSION STATUS WHERE `Variable_name` IN (\'Ssl_version\', \'Ssl_cipher\')') + ->loadObjectList('Variable_name'); if (!empty($variables['Ssl_cipher']->Value)) { From ddcadcb9613bc1e399cd0096bb2df6f54df054d3 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 19:14:00 +0100 Subject: [PATCH 11/26] cs again --- src/Mysql/MysqlDriver.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index b10d9fa52..a57e74e3f 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -163,12 +163,13 @@ public function connect() if ($tlsContextIsNull === true) { $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', [ - 'AES128-GCM-SHA256', - 'AES256-GCM-SHA384', - 'AES128-CBC-SHA256', - 'AES256-CBC-SHA384', - 'DES-CBC3-SHA', - ]); + 'AES128-GCM-SHA256', + 'AES256-GCM-SHA384', + 'AES128-CBC-SHA256', + 'AES256-CBC-SHA384', + 'DES-CBC3-SHA', + ] + ); } // If costumized, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. From 59366235e19b7f865701f5fef9cb49ee273223dc Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 19:20:31 +0100 Subject: [PATCH 12/26] default cipher suit --- src/Mysql/MysqlDriver.php | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index a57e74e3f..d9f73d3f0 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -79,6 +79,20 @@ class MysqlDriver extends PdoDriver implements UTF8MB4SupportInterface */ protected static $dbMinMariadb = '10.0'; + /** + * The default cipher suit for TLS connections. + * + * @var array + * @since __DEPLOY_VERSION__ + */ + protected static $defaultCipherSuit = [ + 'AES128-GCM-SHA256', + 'AES256-GCM-SHA384', + 'AES128-CBC-SHA256', + 'AES256-CBC-SHA384', + 'DES-CBC3-SHA', + ]; + /** * Constructor. * @@ -147,7 +161,7 @@ public function connect() // For SSL/TLS connection encryption. if ($this->options['ssl'] !== [] && $this->options['ssl']['enable'] === true) { - $tlsContextIsNull = true; + $sslContextIsNull = true; // If costumized, add ciphersuit, ca file path, ca path, private key file path and certificate file path to PDO driver options. foreach (['cipher', 'ca', 'capath', 'key', 'cert'] as $key => $value) @@ -155,21 +169,14 @@ public function connect() if ($this->options['ssl'][$value] !== null) { $this->options['driverOptions'][constant('\PDO::MYSQL_ATTR_SSL_' . strtoupper($value))] = $this->options['ssl'][$value]; - $tlsContextIsNull = false; + $sslContextIsNull = false; } } // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suit to force it. - if ($tlsContextIsNull === true) + if ($sslContextIsNull === true) { - $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', [ - 'AES128-GCM-SHA256', - 'AES256-GCM-SHA384', - 'AES128-CBC-SHA256', - 'AES256-CBC-SHA384', - 'DES-CBC3-SHA', - ] - ); + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', $this->defaultCipherSuit); } // If costumized, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. From 66c39cf5f0013fbdc8b5691a64ff7ee318f89e23 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 19:21:32 +0100 Subject: [PATCH 13/26] static... --- src/Mysql/MysqlDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index d9f73d3f0..cc47a93d9 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -176,7 +176,7 @@ public function connect() // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suit to force it. if ($sslContextIsNull === true) { - $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', $this->defaultCipherSuit); + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::defaultCipherSuit); } // If costumized, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. From 8de2ead968287c2a115c2164ca44a5b11a4dc861 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 15 Jul 2019 19:31:46 +0100 Subject: [PATCH 14/26] ups --- src/Mysql/MysqlDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index cc47a93d9..336f2c984 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -176,7 +176,7 @@ public function connect() // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suit to force it. if ($sslContextIsNull === true) { - $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::defaultCipherSuit); + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::$defaultCipherSuit); } // If costumized, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. From cbba29aa1527c53c2894c88bb5d8e1eb5b68d2bc Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Tue, 16 Jul 2019 12:09:07 +0100 Subject: [PATCH 15/26] move tls options to main PDO driver so it's available fro all PDO drivers 1/2 --- src/Pdo/PdoDriver.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/Pdo/PdoDriver.php b/src/Pdo/PdoDriver.php index 1c5fe0959..4925a06e8 100644 --- a/src/Pdo/PdoDriver.php +++ b/src/Pdo/PdoDriver.php @@ -78,6 +78,18 @@ public function __construct(array $options) $options['port'] = isset($options['port']) ? (int) $options['port'] : null; $options['password'] = $options['password'] ?? ''; $options['driverOptions'] = $options['driverOptions'] ?? []; + $options['ssl'] = isset($options['ssl']) ? $options['ssl'] : []; + + if ($options['ssl'] !== []) + { + $options['ssl']['enable'] = isset($options['ssl']['enable']) ? $options['ssl']['enable'] : false; + $options['ssl']['cipher'] = isset($options['ssl']['cipher']) ? $options['ssl']['cipher'] : null; + $options['ssl']['ca'] = isset($options['ssl']['ca']) ? $options['ssl']['ca'] : null; + $options['ssl']['capath'] = isset($options['ssl']['capath']) ? $options['ssl']['capath'] : null; + $options['ssl']['key'] = isset($options['ssl']['key']) ? $options['ssl']['key'] : null; + $options['ssl']['cert'] = isset($options['ssl']['cert']) ? $options['ssl']['cert'] : null; + $options['ssl']['verify_server_cert'] = isset($options['ssl']['verify_server_cert']) ? $options['ssl']['verify_server_cert'] : null; + } // Finalize initialisation parent::__construct($options); From 42f7bd8fe4dfdd9b9473620ce0192360be9e769d Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Tue, 16 Jul 2019 12:09:24 +0100 Subject: [PATCH 16/26] move tls options to main PDO driver so it's available fro all PDO drivers 2/2 --- src/Mysql/MysqlDriver.php | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index 336f2c984..b9e9f9acd 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -117,18 +117,6 @@ public function __construct(array $options) $options['driver'] = 'mysql'; $options['charset'] = $options['charset'] ?? 'utf8'; $options['sqlModes'] = isset($options['sqlModes']) ? (array) $options['sqlModes'] : $sqlModes; - $options['ssl'] = isset($options['ssl']) ? $options['ssl'] : []; - - if ($options['ssl'] !== []) - { - $options['ssl']['enable'] = isset($options['ssl']['enable']) ? $options['ssl']['enable'] : false; - $options['ssl']['cipher'] = isset($options['ssl']['cipher']) ? $options['ssl']['cipher'] : null; - $options['ssl']['ca'] = isset($options['ssl']['ca']) ? $options['ssl']['ca'] : null; - $options['ssl']['capath'] = isset($options['ssl']['capath']) ? $options['ssl']['capath'] : null; - $options['ssl']['key'] = isset($options['ssl']['key']) ? $options['ssl']['key'] : null; - $options['ssl']['cert'] = isset($options['ssl']['cert']) ? $options['ssl']['cert'] : null; - $options['ssl']['verify_server_cert'] = isset($options['ssl']['verify_server_cert']) ? $options['ssl']['verify_server_cert'] : null; - } $this->charset = $options['charset']; From 1b6143117a3f9ffb2985e598b6918287f5ebf373 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Tue, 16 Jul 2019 13:14:46 +0100 Subject: [PATCH 17/26] Add TLS encryption to postgresql PDO driver (by docs - not tested) --- src/Pdo/PdoDriver.php | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/Pdo/PdoDriver.php b/src/Pdo/PdoDriver.php index 4925a06e8..8e1f238e5 100644 --- a/src/Pdo/PdoDriver.php +++ b/src/Pdo/PdoDriver.php @@ -265,6 +265,29 @@ public function connect() $replace = ['#HOST#', '#PORT#', '#DBNAME#']; $with = [$this->options['host'], $this->options['port'], $this->options['database']]; + // For data in transit TLS encryption. + if ($this->options['ssl'] !== [] && $this->options['ssl']['enable'] === true) + { + $format .= ';sslmode=' . (isset($this->options['ssl']['verify_server_cert']) && $this->options['ssl']['verify_server_cert'] === true ? 'verify-full' : 'required'); + + $sslKeysMapping = [ + 'cipher' => null, + 'ca' => 'sslrootcert', + 'capath' => null, + 'key' => 'sslkey', + 'cert' => 'sslcert', + ]; + + // If costumized, add ciphersuit, ca file path, ca path, private key file path and certificate file path to PDO driver options. + foreach (['cipher', 'ca', 'capath', 'key', 'cert'] as $key => $value) + { + if ($sslKeysMapping[$key] !== null && $this->options['ssl'][$value] !== null) + { + $format .= ';' . $sslKeysMapping[$key] . '=' . $this->options['ssl'][$value]; + } + } + } + break; case 'sqlite': From 1a7de1ca7e0a5a521e9416e80b14fe1a254a9029 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Tue, 16 Jul 2019 13:50:32 +0100 Subject: [PATCH 18/26] cs --- src/Pdo/PdoDriver.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/Pdo/PdoDriver.php b/src/Pdo/PdoDriver.php index 8e1f238e5..8a288363d 100644 --- a/src/Pdo/PdoDriver.php +++ b/src/Pdo/PdoDriver.php @@ -268,7 +268,14 @@ public function connect() // For data in transit TLS encryption. if ($this->options['ssl'] !== [] && $this->options['ssl']['enable'] === true) { - $format .= ';sslmode=' . (isset($this->options['ssl']['verify_server_cert']) && $this->options['ssl']['verify_server_cert'] === true ? 'verify-full' : 'required'); + if (isset($this->options['ssl']['verify_server_cert']) && $this->options['ssl']['verify_server_cert'] === true) + { + $format .= ';sslmode=verify-full'; + } + else + { + $format .= ';sslmode=required'; + } $sslKeysMapping = [ 'cipher' => null, From 9b5820ce08e0f4497790569d0f7f13d67baab383 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Tue, 16 Jul 2019 14:00:59 +0100 Subject: [PATCH 19/26] getConnectionEncryption for postgresql (form docs - not tested) --- src/Pgsql/PgsqlDriver.php | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/Pgsql/PgsqlDriver.php b/src/Pgsql/PgsqlDriver.php index 4208b65c5..72f5ce34e 100644 --- a/src/Pgsql/PgsqlDriver.php +++ b/src/Pgsql/PgsqlDriver.php @@ -143,7 +143,18 @@ public function getConnectionCollation() */ public function getConnectionEncryption(): string { - // TODO: Not fake this + $query = $this->getQuery(true) + ->select($this->quoteName(['version', 'cipher'])) + ->from($this->quoteName('pg_stat_ssl')) + ->where($this->quoteName('pid') . ' = pg_backend_pid()'); + + $variables = $this->setQuery($query)->loadAssoc(); + + if (!empty($variables['cipher'])) + { + return $variables['version'] . ' (' . $variables['cipher'] . ')'; + } + return ''; } From c4ee862dc26b9347c6008b0b8067ed88750cac3b Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 22 Jul 2019 21:04:05 +0100 Subject: [PATCH 20/26] Update src/Mysql/MysqlDriver.php Co-Authored-By: Brian Teeman --- src/Mysql/MysqlDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index b9e9f9acd..a7b13b5f7 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -151,7 +151,7 @@ public function connect() { $sslContextIsNull = true; - // If costumized, add ciphersuit, ca file path, ca path, private key file path and certificate file path to PDO driver options. + // If customised, add cipher suite, ca file path, ca path, private key file path and certificate file path to PDO driver options. foreach (['cipher', 'ca', 'capath', 'key', 'cert'] as $key => $value) { if ($this->options['ssl'][$value] !== null) From 84f5578b8595550c7600b7fc8a4c1f5210f360de Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 22 Jul 2019 21:04:24 +0100 Subject: [PATCH 21/26] Update src/Mysql/MysqlDriver.php Co-Authored-By: Brian Teeman --- src/Mysql/MysqlDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index a7b13b5f7..0581bc299 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -167,7 +167,7 @@ public function connect() $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::$defaultCipherSuit); } - // If costumized, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. + // If customised, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. if ($this->options['ssl']['verify_server_cert'] !== null && defined('\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')) { $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $this->options['ssl']['verify_server_cert']; From 3da0568d2bcd21b3b0f1cbc5d70c73d304d02190 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 22 Jul 2019 21:04:40 +0100 Subject: [PATCH 22/26] Update src/Mysql/MysqlDriver.php Co-Authored-By: Brian Teeman --- src/Mysql/MysqlDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index 0581bc299..0e178747f 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -80,7 +80,7 @@ class MysqlDriver extends PdoDriver implements UTF8MB4SupportInterface protected static $dbMinMariadb = '10.0'; /** - * The default cipher suit for TLS connections. + * The default cipher suite for TLS connections. * * @var array * @since __DEPLOY_VERSION__ From 19c156490dc2879746b21e2023a9d41d3f152256 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 22 Jul 2019 21:04:56 +0100 Subject: [PATCH 23/26] Update src/Mysql/MysqlDriver.php Co-Authored-By: Brian Teeman --- src/Mysql/MysqlDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index 0e178747f..a45533a25 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -161,7 +161,7 @@ public function connect() } } - // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suit to force it. + // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suite to force it. if ($sslContextIsNull === true) { $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::$defaultCipherSuit); From 6c263225dd4e2e205c2a877cbfb48dc1f8926278 Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 22 Jul 2019 21:05:24 +0100 Subject: [PATCH 24/26] Update src/Pdo/PdoDriver.php Co-Authored-By: Brian Teeman --- src/Pdo/PdoDriver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Pdo/PdoDriver.php b/src/Pdo/PdoDriver.php index 8a288363d..c698de07e 100644 --- a/src/Pdo/PdoDriver.php +++ b/src/Pdo/PdoDriver.php @@ -285,7 +285,7 @@ public function connect() 'cert' => 'sslcert', ]; - // If costumized, add ciphersuit, ca file path, ca path, private key file path and certificate file path to PDO driver options. + // If customised, add cipher suite, ca file path, ca path, private key file path and certificate file path to PDO driver options. foreach (['cipher', 'ca', 'capath', 'key', 'cert'] as $key => $value) { if ($sslKeysMapping[$key] !== null && $this->options['ssl'][$value] !== null) From 326ac82c43c723bd0ab4fef474606fe693bf6f4f Mon Sep 17 00:00:00 2001 From: andrepereiradasilva Date: Mon, 22 Jul 2019 21:09:31 +0100 Subject: [PATCH 25/26] Update MysqlDriver.php --- src/Mysql/MysqlDriver.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Mysql/MysqlDriver.php b/src/Mysql/MysqlDriver.php index a45533a25..b8223f72a 100644 --- a/src/Mysql/MysqlDriver.php +++ b/src/Mysql/MysqlDriver.php @@ -85,7 +85,7 @@ class MysqlDriver extends PdoDriver implements UTF8MB4SupportInterface * @var array * @since __DEPLOY_VERSION__ */ - protected static $defaultCipherSuit = [ + protected static $defaultCipherSuite = [ 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-CBC-SHA256', @@ -164,7 +164,7 @@ public function connect() // PDO, if no cipher, ca, capath, cert and key are set, can't start TLS one-way connection, set a common ciphers suite to force it. if ($sslContextIsNull === true) { - $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::$defaultCipherSuit); + $this->options['driverOptions'][\PDO::MYSQL_ATTR_SSL_CIPHER] = implode(':', static::$defaultCipherSuite); } // If customised, for capable systems (PHP 7.0.14+ and 7.1.4+) verify certificate chain and Common Name to driver options. From 23922061b5b83f741ce9c8af886e4baeb2c63da6 Mon Sep 17 00:00:00 2001 From: Richard Fath Date: Tue, 6 Aug 2019 22:26:49 +0200 Subject: [PATCH 26/26] Update PdoDriver.php --- src/Pdo/PdoDriver.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Pdo/PdoDriver.php b/src/Pdo/PdoDriver.php index c698de07e..d24e664ee 100644 --- a/src/Pdo/PdoDriver.php +++ b/src/Pdo/PdoDriver.php @@ -274,7 +274,7 @@ public function connect() } else { - $format .= ';sslmode=required'; + $format .= ';sslmode=require'; } $sslKeysMapping = [ @@ -286,11 +286,11 @@ public function connect() ]; // If customised, add cipher suite, ca file path, ca path, private key file path and certificate file path to PDO driver options. - foreach (['cipher', 'ca', 'capath', 'key', 'cert'] as $key => $value) + foreach ($sslKeysMapping as $key => $value) { - if ($sslKeysMapping[$key] !== null && $this->options['ssl'][$value] !== null) + if ($value !== null && $this->options['ssl'][$key] !== null) { - $format .= ';' . $sslKeysMapping[$key] . '=' . $this->options['ssl'][$value]; + $format .= ';' . $value . '=' . $this->options['ssl'][$key]; } } }