[4.0] Add TLS transfer encryption for database connections at installation - 2nd version

installation/forms/setup.xml

@@ -122,5 +122,65 @@
 			id="db_old"
 			default="backup"
 		/>
+
+		<field
+			name="db_encryption"
+			type="list"
+			label="INSTL_DATABASE_ENCRYPTION_MODE_LABEL"
+			class="custom-select"
+			required="true"
+			default="0"
+			filter="integer"
+			>
+			<option value="0">INSTL_DATABASE_ENCRYPTION_MODE_VALUE_NONE</option>
+			<option value="1">INSTL_DATABASE_ENCRYPTION_MODE_VALUE_ONE_WAY</option>
+			<option value="2">INSTL_DATABASE_ENCRYPTION_MODE_VALUE_TWO_WAY</option>
+		</field>
+
+		<field
+			name="db_sslkey"
+			type="text"
+			label="INSTL_DATABASE_ENCRYPTION_KEY_LABEL"
+			filter="path"
+			showon="db_encryption:2"
+		/>
+
+		<field
+			name="db_sslcert"
+			type="text"
+			label="INSTL_DATABASE_ENCRYPTION_CERT_LABEL"
+			filter="path"
+			showon="db_encryption:2"
+		/>
+
+		<field
+			name="db_sslverifyservercert"
+			type="radio"
+			label="INSTL_DATABASE_ENCRYPTION_VERIFY_SERVER_CERT_LABEL"
+			class="switcher"
+			default="0"
+			filter="boolean"
+			showon="db_encryption:1,2"
+			>
+			<option value="0">JNO</option>
+			<option value="1">JYES</option>
+		</field>
+
+		<field
+			name="db_sslca"
+			type="text"
+			label="INSTL_DATABASE_ENCRYPTION_CA_LABEL"
+			filter="path"
+			showon="db_encryption:1,2[AND]db_sslverifyservercert:1"
+		/>
+
+		<field
+			name="db_sslcipher"
+			type="text"
+			label="INSTL_DATABASE_ENCRYPTION_CIPHER_LABEL"
+			filter="string"
+			showon="db_type:mysql,mysqli[AND]db_encryption:2"
+		/>
+
 	</fieldset>
 </form>

installation/language/en-GB/joomla.ini

@@ -51,6 +51,20 @@ INSTL_ZLIB_COMPRESSION_SUPPORT="Zlib Compression Support"
 
 ; Database view
 INSTL_DATABASE="Database Configuration"
+INSTL_DATABASE_ENCRYPTION_CA_LABEL="Path to CA File"
+INSTL_DATABASE_ENCRYPTION_CERT_LABEL="Path to Certificate File"
+INSTL_DATABASE_ENCRYPTION_CIPHER_LABEL="Supported Cipher Suite (optional)"
+INSTL_DATABASE_ENCRYPTION_KEY_LABEL="Path to Private Key File"
+INSTL_DATABASE_ENCRYPTION_MODE_LABEL="Connection Encryption"
+INSTL_DATABASE_ENCRYPTION_MODE_VALUE_NONE="Default (server controlled)"
+INSTL_DATABASE_ENCRYPTION_MODE_VALUE_ONE_WAY="One-way authentication"
+INSTL_DATABASE_ENCRYPTION_MODE_VALUE_TWO_WAY="Two-way authentication"
+INSTL_DATABASE_ENCRYPTION_MSG_CONN_NOT_ENCRYPT="You have selected database connection enryption to be used, and a connection could be established, but it was not encrypted. The reason might be that the database server is configured to fall back to an unencrypted connection in case of bad encryption parameters. Either check and correct the database encryption parameters, or change field \"Connection Encryption\" back to \"Default (server controlled)\"."
+INSTL_DATABASE_ENCRYPTION_MSG_FILE_FIELD_BAD="The file entered in field \"%s\" does not exist or is not accessible."
+INSTL_DATABASE_ENCRYPTION_MSG_FILE_FIELD_EMPTY="Field \"%s\" is empty or doesn't contain a valid path."
+INSTL_DATABASE_ENCRYPTION_MSG_LOCALHOST="You have entered \"localhost\" as host name. Connecting to the database with connection encryption might fail with this. Either change \"localhost\" to \"127.0.0.1\" or \"::1\" or a different host name, or change field \"Connection Encryption\" back to \"Default (server controlled)\"."
+INSTL_DATABASE_ENCRYPTION_MSG_SRV_NOT_SUPPORTS="The database server doesn't support connection encryption. Either enable TLS (often called SSL in docs) support on your database server, or change field \"Connection Encryption\" back to \"Default (server controlled)\"."
+INSTL_DATABASE_ENCRYPTION_VERIFY_SERVER_CERT_LABEL="Verify Server Certificate"
 INSTL_DATABASE_ERROR_POSTGRESQL_QUERY="PostgreSQL database query failed."
 INSTL_DATABASE_HOST_DESC="Enter the host name, usually \"localhost\" or a name provided by your host."
 INSTL_DATABASE_HOST_LABEL="Host Name"

installation/language/en-US/joomla.ini

@@ -51,6 +51,20 @@ INSTL_ZLIB_COMPRESSION_SUPPORT="Zlib Compression Support"
 
 ; Database view
 INSTL_DATABASE="Database Configuration"
+INSTL_DATABASE_ENCRYPTION_CA_LABEL="Path to CA File"
+INSTL_DATABASE_ENCRYPTION_CERT_LABEL="Path to Certificate File"
+INSTL_DATABASE_ENCRYPTION_CIPHER_LABEL="Supported Cipher Suite (optional)"
+INSTL_DATABASE_ENCRYPTION_KEY_LABEL="Path to Private Key File"
+INSTL_DATABASE_ENCRYPTION_MODE_LABEL="Connection Encryption"
+INSTL_DATABASE_ENCRYPTION_MODE_VALUE_NONE="Default (server controlled)"
+INSTL_DATABASE_ENCRYPTION_MODE_VALUE_ONE_WAY="One-way authentication"
+INSTL_DATABASE_ENCRYPTION_MODE_VALUE_TWO_WAY="Two-way authentication"
+INSTL_DATABASE_ENCRYPTION_MSG_CONN_NOT_ENCRYPT="You have selected database connection enryption to be used, and a connection could be established, but it was not encrypted. The reason might be that the database server is configured to fall back to an unencrypted connection in case of bad encryption parameters. Either check and correct the database encryption parameters, or change field \"Connection Encryption\" back to \"Default (server controlled)\"."
+INSTL_DATABASE_ENCRYPTION_MSG_FILE_FIELD_BAD="The file entered in field \"%s\" does not exist or is not accessible."
+INSTL_DATABASE_ENCRYPTION_MSG_FILE_FIELD_EMPTY="Field \"%s\" is empty or doesn't contain a valid path."
+INSTL_DATABASE_ENCRYPTION_MSG_LOCALHOST="You have entered \"localhost\" as host name. Connecting to the database with connection encryption might fail with this. Either change \"localhost\" to \"127.0.0.1\" or \"::1\" or a different host name, or change field \"Connection Encryption\" back to \"Default (server controlled)\"."
+INSTL_DATABASE_ENCRYPTION_MSG_SRV_NOT_SUPPORTS="The database server doesn't support connection encryption. Either enable TLS (often called SSL in docs) support on your database server, or change field \"Connection Encryption\" back to \"Default (server controlled)\"."
+INSTL_DATABASE_ENCRYPTION_VERIFY_SERVER_CERT_LABEL="Verify Server Certificate"
 INSTL_DATABASE_ERROR_POSTGRESQL_QUERY="PostgreSQL database query failed."
 INSTL_DATABASE_HOST_DESC="Enter the host name, usually \"localhost\" or a name provided by your host."
 INSTL_DATABASE_HOST_LABEL="Host Name"

installation/src/Helper/DatabaseHelper.php

@@ -30,12 +30,13 @@ abstract class DatabaseHelper
 	 * @param   string   $database  The database to use.
 	 * @param   string   $prefix    The table prefix to use.
 	 * @param   boolean  $select    True if the database should be selected.
+	 * @param   array    $ssl       Database TLS connection options.
 	 *
 	 * @return  DatabaseInterface
 	 *
 	 * @since   1.6
 	 */
-	public static function getDbo($driver, $host, $user, $password, $database, $prefix, $select = true)
+	public static function getDbo($driver, $host, $user, $password, $database, $prefix, $select = true, array $ssl = [])
 	{
 		static $db;
 
@@ -52,6 +53,24 @@ public static function getDbo($driver, $host, $user, $password, $database, $pref
 				'select'   => $select,
 			];
 
+			if (!empty($ssl['dbencryption']))
+			{
+				$options['ssl'] = [
+					'enable'             => true,
+					'verify_server_cert' => (bool) $ssl['dbsslverifyservercert'],
+				];
+
+				foreach (['cipher', 'ca', 'key', 'cert'] as $value)
+				{
+					$confVal = trim($ssl['dbssl' . $value]);
+
+					if ($confVal !== '')
+					{
+						$options['ssl'][$value] = $confVal;
+					}
+				}
+			}
+
 			// Enable utf8mb4 connections for mysql adapters
 			if (strtolower($driver) === 'mysqli')
 			{
@@ -69,4 +88,25 @@ public static function getDbo($driver, $host, $user, $password, $database, $pref
 
 		return $db;
 	}
+
+	/**
+	 * Convert encryption options to array.
+	 *
+	 * @param   \stdClass  $options  The session options
+	 *
+	 * @return  array  The encryption settings
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function getEncryptionSettings($options)
+	{
+		return [
+			'dbencryption'          => $options->db_encryption,
+			'dbsslverifyservercert' => $options->db_sslverifyservercert,
+			'dbsslkey'              => $options->db_sslkey,
+			'dbsslcert'             => $options->db_sslcert,
+			'dbsslca'               => $options->db_sslca,
+			'dbsslcipher'           => $options->db_sslcipher,
+		];
+	}
 }

installation/src/Model/ConfigurationModel.php

@@ -133,12 +133,12 @@ public function createConfiguration($options)
 		$registry->set('password', $options->db_pass_plain);
 		$registry->set('db', $options->db_name);
 		$registry->set('dbprefix', $options->db_prefix);
-		$registry->set('dbencryption', 0);
-		$registry->set('dbsslverifyservercert', false);
-		$registry->set('dbsslkey', '');
-		$registry->set('dbsslcert', '');
-		$registry->set('dbsslca', '');
-		$registry->set('dbsslcipher', '');
+		$registry->set('dbencryption', $options->db_encryption);
+		$registry->set('dbsslverifyservercert', $options->db_sslverifyservercert);
+		$registry->set('dbsslkey', $options->db_sslkey);
+		$registry->set('dbsslcert', $options->db_sslcert);
+		$registry->set('dbsslca', $options->db_sslca);
+		$registry->set('dbsslcipher', $options->db_sslcipher);
 
 		// Server settings.
 		$registry->set('live_site', '');
@@ -274,7 +274,9 @@ private function createRootUser($options)
 				$options->db_user,
 				$options->db_pass_plain,
 				$options->db_name,
-				$options->db_prefix
+				$options->db_prefix,
+				true,
+				DatabaseHelper::getEncryptionSettings($options)
 			);
 		}
 		catch (\RuntimeException $e)

installation/src/Model/DatabaseModel.php

@@ -328,7 +328,8 @@ public function initialise()
 				$options->db_pass_plain,
 				$options->db_name,
 				$options->db_prefix,
-				isset($options->db_select) ? $options->db_select : false
+				isset($options->db_select) ? $options->db_select : false,
+				DatabaseHelper::getEncryptionSettings($options)
 			);
 		}
 		catch (\RuntimeException $e)
@@ -401,6 +402,7 @@ public function createDatabase($options)
 					'password' => $options->db_pass_plain,
 					'prefix'   => $options->db_prefix,
 					'select'   => $options->db_select,
+					DatabaseHelper::getEncryptionSettings($options),
 				);
 
 				$altDB = DatabaseDriver::getInstance($altDBoptions);