Allow to encrypt database connection in installation [rebased]#12
Conversation
We need to render the field in one go because of showon conditions only work this way (showon data attribute is the parent label - see the Form renderField method for more info).
… to take in consideration the radio input types
|
Thanks, I will keep your comments in mind for the stuff already merged into the CMS. |
|
Regarding |
|
127.0.0.1 and ::1 are TCP connections so they can be encrypted with TLS (as you can test), if it makes sense or not is other mather, but as far as i read about it, it could make sense if an attacker got low priviledge access to the operating system and then they could "peek" into the connections being made in the loopback tcp address (127.0.0.1/::1), so in high security contexts could make sense to encrypt 127.0.0.1/::1 connections - but i'm not an expert in that matter. |
|
Will |
|
At least in Linux normally MySQL/mariadb and PostgreSQL bind localhost to a Unix socket. Why? Because unix sockets are faster since they dont have TCP protocol overhead. |
|
I see, thanks for the info. Not sure yet if I will use that change for what is already in staging. On weekend I will work on it and on this here, testing and if ok making PR for the CMS. Again many thanks for advise and help and code. |
|
I'll leave this open for a while in case if you wanna make modifications. Later I'll merge it to my branch when I've made a PR for the CMS. |
|
I dont see anythng more to do here. |
|
You know problem is this showon thing: It is not clever enough to clear fields before hiding them, so when someone enters a hostname, enters some bad stuff for encryption and then changes back to localhost and encryption options disappear ... that could be at least annoying. Connection test and better error handling which you've added at the end should keep one from saving such bad stuff ... but I am not really comfortable with that showon. Another thing what I was thinking about was if we could add a field to the system config (maybe as an info text or hidden, if it does not fit to other enterable fields regarding consistent UX) for the info if the server supports it, same info as we show in system info, and make showon also dependent on this. Not sure if a good idea or not. Maybe we should check this parameter in code too and reset any encryption settings if server does not support it? |
You can do that in XML "onchange=" i can check it Larter
I though about it but you have to do it with Ajax js since you need to check it everytime the user chances without submitting the form. I particulary dont like sending sensível data with Ajax, unkess they are POST methods with HTTPS and the receiving Ajax method is very security hardened , also GET HTTP requests stays in the log files which woukd put logins and passwords there |
|
showon stuff improved. |
|
@andrepereiradasilva Yeah, just saw. Looks great. Will see what has also to go into the stuff which has already been merged into the CMS and make a PR for that. And this PR here will be a separate one, also created soon. I have time this weekend. |
i can make a new PR here for that. already working on that |
|
Great. |
|
@andrepereiradasilva I still get: at the start of installation. |
|
Do you have that error without this Patch? |
|
Update 2019-10-29: Sorry, have misread. I have this error ONLY with this patch, NOT without it. Do you use Windows or Linux as Joomla Host for testing? I use Linux. If it works on Windows but does not work on Linux, it could be some problem with file names having to fit to class or namespace names? |
|
Update 2019-10-29: Sorry, have misread. I have this error ONLY with this patch, NOT without it. Do you use Windows or Linux as Joomla Host for testing? I use Linux. If it works on Windows but does not work on Linux, it could be some problem with file names having to fit to class or namespace names? |
|
@andrepereiradasilva Now I've replaced file by file and tested if index.php of admin works. With file |
|
@andrepereiradasilva Got it, see review. |
Silly mistake ... Sorry richard Co-Authored-By: Richard Fath <richard67@users.noreply.github.com>
|
Solved, sorry richard, my mistake |
|
I will test again before merging. Stay tuned. |
richard67
merged commit b3ec36f
into
richard67:4.0-dev-tls-encrypt-db-connections-at-install
|
Thanks @andrepereiradasilva . I've decided to merge first, then make a draft PR to the CMS so I can test, and when test is ok I'll "undraft" it. I'll let you know if all ok or some issues. |
|
@andrepereiradasilva Do you think you can provide the javascript part for PR joomla#26889? |
|
@andrepereiradasilva I've just tested my PR joomla#26888 and found that when using the real host name and not localhost, and I adjust one-way encryption without certificate verification, like it works out of the box for me, then the installation finishs with succes, but then in backend encryption is set to default again. Can it be that there is missing something for saving the changed configuration during the installation? |
|
@andrepereiradasilva P.S. to previous comment: Or can it be that the javascript clears the field somehow when continuing the installation after having selected the tls options and so on? I'll make a break and then test again without the JS. |
|
@andrepereiradasilva I think I know what it missing: It needs to change this here https://github.com/joomla/joomla-cms/pull/26375/files#diff-fc1c1d768205c2f1f52b6f5f5a97c196. |
|
Yeah, that's it. Have to take the options values instead of the defaults for off. |
|
:) yeah that was neede also, but since was already in Joomla main branch i didn't do it here. |
|
@andrepereiradasilva No, thank you for your work. I only wish that sometimes you would trust my testing results a bit more ;-) Do you think you can do the JS part of joomla#26889. If you don't have time I can try it myself. |
|
out from home this weekend, only have time Next weekend, if you have some time until them please go ahead. |
|
Ok, will let you know if done or when problems. |
|
@andrepereiradasilva Regarding the JS part of joomla#26889, i.e. using onchange event in Global Config for the hostname field to reset stuff in case of localhost: Could you give me a hint to which js the new function should be added? For the installations it was easy to understand for me, but in backend I haven't found a suitable place. It seems the onchange stuff isn't used in Global Config yet. I'll see if I can find it out today or tomorrow, but if you can give me a quick hint it would be very helpful. |
|
@andrepereiradasilva I've found it out myself. Could you have a look on joomla#26889 if it is ok? |
Replace alert to j message, remove duplication
…ration Refactored Registration
2 participants
same as #8 with one addon;
now the fields only show if the database server field is different from "localhost"
showon="db_host!:localhost"Probably this could also be used in global config and privacy dashboard.
There is no encrypting in socket connections