[4.0] TLS encryption for database connections: Correct language texts and showon for fields#27320
[4.0] TLS encryption for database connections: Correct language texts and showon for fields#27320richard67 wants to merge 6 commits intojoomla:4.0-devfrom
Conversation
…ypt-db-connections-mod-1
…ypt-db-connections-mod-1
…ypt-db-connections-mod-1
| COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_NONE="Default (server controlled)" | ||
| COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_ONE_WAY="One-way encryption" | ||
| COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_TWO_WAY="Two-way encryption" | ||
| COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_ONE_WAY="One-way authentication" |
There was a problem hiding this comment.
as this is a new string and you are changing the value to authentication then it would be good to update the constant as well
There was a problem hiding this comment.
How you mean to change it? COM_CONFIG_FIELD_DATABASE_AUTHENTICATION_ENABLE_VALUE_ONE_WAY would be wrong, because all the fields with names starting with COM_CONFIG_FIELD_DATABASE_ENCRYPTION belong to the same feature, which is well described with that name prefix.
There was a problem hiding this comment.
Or how else do you mean it should be changed? I don't understand yet.
There was a problem hiding this comment.
yes that was what I was suggesting
There was a problem hiding this comment.
Well COM_CONFIG_FIELD_DATABASE_AUTHENTICATION_ENABLE_VALUE_ONE_WAY would be wrong, because it reads as if it would be related to authentication to database in general, but it is only relevant for connection encryption.
What could make sense would be to change the texts COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE... to COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE..., or something like that, that would fit more to the values ("Default (server controlled)", "One-way authentication" and "Two-way authentication". The "ENABLE" is a bit misleading and has historically grown when that feadutre was developed by @andrepereiradasilva .
Should I change them to COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE...?
There was a problem hiding this comment.
@brianteeman Please check my comment above. To make it perfect I could change COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_LABEL to COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_LABEL, COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_NONE to COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_VALUE_DEFAULT, COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_ONE_WAY to COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_VALUE_ONE_WAY and COM_CONFIG_FIELD_DATABASE_ENCRYPTION_ENABLE_VALUE_TWO_WAY to COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_VALUE_TWO_WAY.
Let me know your opinion and what you suggest, but your original suggestion was not good in my opinion.
There was a problem hiding this comment.
Or we leave text names like they are.
|
Please wait with testing. I will make some changes in the next day or make a new PR. I'll report back here when all is ready. |
|
Closing in favour of PR #27351 . |
3 participants
Pull Request for #26888 (comment).
Summary of Changes
This PR fixes 2 issues mentioned in comment #26888 (comment) in Global Configuration, section Database Configuration:
See e.g. here for an explanation: https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/.
1-way means that only the database server is authenticated with a certificate, and 2-way means database server and client are authenticated.
Right now the fields are only shown if authentication is 2-way, regardless of the server certificate verification. This is wrong because the CA certificate is only used by the client to verify the server certificate.
What is not changed by this PR is that field "Path to CA folder" is not shown if database type is PostgreSQL.
Testing Instructions
Please wait with testing. I will make some changes in the next day or make a new PR.
Code review, or:
Result: No additional fields are displayed after the value of field "Verify Server Certificate" has been changed.
Result: Additional fields are displayed after the value of field "Connection Encryption" has been changed to "Two-way encryption".
Result: When the value of field "Connection Encryption" is "Two-way encryption", fields "Path to Private Key File", "Path to Certificate File" and "Path to CA File" are shown in any case, and 2 more fields "Path to CA Folder" and "Supported Cipher Suite" are only shown for the MySQL types but not for PostreSQL (PDO), all this regardless of the value of field "Verify Server Certificate".
Result: When field "Verify Server Certificate" has value "Yes", field "Path to CA File" is shown, and if a MySQL database type is used, also field "Path to CA Folder". When field "Verify Server Certificate" has value "No", these fields are not shown.
Result: Additional fields "Path to Private Key File", "Path to Certificate File" and in case of a MySQL database type also field "Supported Cipher Suite" is shown. For fields "Path to CA File" and "Path to CA Folder" behavior is still the same as in step 10.
Expected result
Fields "Path to CA File" and "Path to CA Folder" are only shown if "Yes" is chosen for field "Verify Server Certificate" and field "Connection Encryption" has values "One-way authentication" or "Two-way authentication".
The texts misleading texts "One-way encryption" and "Two-way encryption" have been changed to "One-way authentication" or "Two-way authentication".
Actual result
Fields "Path to CA File" and "Path to CA Folder" are only shown if "Two-way encryption" is chosen for field "Connection Encryption", regardless of the value of field "Verify Server Certificate".
The texts "One-way encryption" and "Two-way encryption" are misleading because the connection will be encrypted with both of these values, it is authentication which is done either one or two way.
Documentation Changes Required
None as far as I know, because as far as I know there is no documentation yet for the database connection encryption option in Global Configuration.