https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36026
--- Comment #14 from Lukas Koszyk <[email protected]> --- (In reply to Marcel de Rooy from comment #13) > (In reply to Lukas Koszyk from comment #10) > > > f) Set "<tls>yes</tls>" in the <config> section in koha-conf.xml. > > > > g) In Koha/Database.pm: > > replace ";mysql_ssl=1" by ";mysql_ssl=1;mysql_ssl_optional=1" > > > > 4) Run restart_all. > > > > 5) Check that Koha's staff interface works. > > > > 6) Sign off. > > Could you please clarify this part of the test plan? > > We only set tls to yes, but do not fill the other stuff in koha-conf. We > switch to ssl optional by changing the code we should be testing.. So we are > actually testing something else? And signing off the original? > > And note: Setting mysql_ssl_optional to true disables strict SSL enforcement > and makes SSL connection optional. This option opens security hole for > man-in-the-middle attacks. > => Not a good idea? Yes, the mysql_ssl_optional parameter is not part of the patch to sign off. The additional parameter "mysql_ssl_optional=1" is added only to test in Koha-testing-docker. Without it we couldn't test in docker, probably there is a difference in the packages installed in docker. On our test system with MariaDB 10.6 on Ubuntu 22.04, the TLS connection works without this parameter. Also, I think mysql_ssl_optional should not be used on a production system. But even if this option is enabled for the client and if require_secure_transport is enabled on the MariaDB server then all connections attempted using insecure transport will be rejected. This test only checks if the TLS connection works. Additional parameters like ca certificate can be used (you need to copy the certificate first) but we didn't want to create too complicated configuration. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
