[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Marcel de Rooy  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=18215

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Marcel de Rooy  changed:

   What|Removed |Added

 CC||m.de.r...@rijksmuseum.nl

--- Comment #17 from Marcel de Rooy  ---
Note: tls is not found in debian/templates/koha-conf-site.xml.in

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Tomás Cohen Arazi  changed:

   What|Removed |Added

 Blocks||18215


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18215
[Bug 18215] Resolve warning on $tls in Database.pm
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Kyle M Hall  changed:

   What|Removed |Added

 Status|Passed QA   |Pushed to Master
 CC||k...@bywatersolutions.com

--- Comment #16 from Kyle M Hall  ---
Pushed to master for 17.05, thanks Dimitris!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #15 from Jonathan Druart  
---
(In reply to Mirko Tietgen from comment #13)
> In the non-TLS file I see a lot of MySQL commands. Like SELECTs. In the TLS
> file I don't (actually I see one, not sure why), but mostly "garbage".

Yes indeed, it works as intended!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #59383|0   |1
is obsolete||

--- Comment #14 from Jonathan Druart  
---
Created attachment 60467
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=60467=edit
Bug 15427 : Enable TLS support for MySQL

In summary, changes are:
1) If you have chosen MySQL, Makefile.PL will ask you if you want TLS (default:
"no"), and then the locations for CA cert, client cert and client key
(reasonable defaults are provided). Settings , ,  and  are
added in koha-conf.xml
2) If yes in koha-conf.xml, the installer and database connection
scripts add the TLS options in both DBI connection strings and mysql command
line

To test
1/ Apply patch
2/ Check everything still works and db connections are the same as before
3/ Either run Makefile.PL and step through the options or edit your
koha-conf.xml to
enable TLS
4/ Check db connections are still working

Patch provided to me by Dimitris Kamenopoulos and I reformatted it into a git
patch,
any errors are probably mine

Signed-off-by: Mirko Tietgen 

Signed-off-by: Jonathan Druart 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Jonathan Druart  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #13 from Mirko Tietgen  ---
In the non-TLS file I see a lot of MySQL commands. Like SELECTs. In the TLS
file I don't (actually I see one, not sure why), but mostly "garbage".

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Jonathan Druart  changed:

   What|Removed |Added

 CC||jonathan.dru...@bugs.koha-c
   ||ommunity.org

--- Comment #12 from Jonathan Druart  
---
(In reply to Mirko Tietgen from comment #11)
> and then compared the output files, which were obviously different.

Yes they are different, but I do not find anything obvious that is telling me
the connection is encrypted.
What should I search for?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #11 from Mirko Tietgen  ---
FYI what remember from testing, I did the following:

- created certificates. This might be helpful
https://dev.mysql.com/doc/refman/5.5/en/creating-ssl-files-using-openssl.html#creating-ssl-files-using-openssl-unix-command-line
- edited koha-conf.xml like this (add , , , )

> 
>  mysql
>  koha_koha
>  127.0.0.1
>  3306
>  yes
>  /home/mirko/newcerts/ca.pem
>  /home/mirko/newcerts/client-cert.pem
>  /home/mirko/newcerts/client-key.pem
>  koha_koha
> …

- logged out of the staff client
- ran the following command to output to a text file
> sudo tcpdump -i lo port 3306 -s 65535 -n -q -A > login.yestls3.txt
- logged into the staff client
- stopped tcpdump after a bit
- logged out

- changed config to no
- started tcpdump again, output to another file
> sudo tcpdump -i lo port 3306 -s 65535 -n -q -A > login.notls3.txt
- logged into the staff client
- stopped tcpdump after a bit

and then compared the output files, which were obviously different.

I hope I did not forget anything in between, was a while ago.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Mirko Tietgen  changed:

   What|Removed |Added

 Status|Patch doesn't apply |Signed Off

--- Comment #10 from Mirko Tietgen  ---
I rebased it and tested using tcpdump.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Mirko Tietgen  changed:

   What|Removed |Added

  Attachment #45992|0   |1
is obsolete||

--- Comment #9 from Mirko Tietgen  ---
Created attachment 59383
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59383=edit
Bug 15427 : Enable TLS support for MySQL

In summary, changes are:
1) If you have chosen MySQL, Makefile.PL will ask you if you want TLS (default:
"no"), and then the locations for CA cert, client cert and client key
(reasonable defaults are provided). Settings , ,  and  are
added in koha-conf.xml
2) If yes in koha-conf.xml, the installer and database connection
scripts add the TLS options in both DBI connection strings and mysql command
line

To test
1/ Apply patch
2/ Check everything still works and db connections are the same as before
3/ Either run Makefile.PL and step through the options or edit your
koha-conf.xml to
enable TLS
4/ Check db connections are still working

Patch provided to me by Dimitris Kamenopoulos and I reformatted it into a git
patch,
any errors are probably mine

Signed-off-by: Mirko Tietgen 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #8 from Mirko Tietgen  ---
Caused by changes in bug 13669.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Mirko Tietgen  changed:

   What|Removed |Added

 Status|Needs Signoff   |Patch doesn't apply

--- Comment #7 from Mirko Tietgen  ---
This needs a rebase.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

M. Tompsett  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=16690
 CC||mtomp...@hotmail.com

--- Comment #6 from M. Tompsett  ---
Bug 16690 would make testing this easier, I think.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Owen Leonard  changed:

   What|Removed |Added

   Assignee|gmcha...@gmail.com  |ch...@bigballofwax.co.nz

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Srdjan Jankovic  changed:

   What|Removed |Added

 CC||srd...@catalyst.net.nz

--- Comment #5 from Srdjan Jankovic  ---
You can
a) install mysql 5.7, that one fails to connect if you ask for ssl and cannot
do it, or
b) use tcpdump, it will be fairly obvious whether the connection is encrypted

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #3 from Chris Cormack  ---
(In reply to Mirko Tietgen from comment #2)
> Can this be tested locally or do I need to set up an external MySQL DB?

YOu should be able to test it locally, just make sure MySQL is running on a
port not a socket.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #4 from Mirko Tietgen  ---
When I set  to yes and add nothing in the cert fields, it seems to work as
before. I don't think it should? I also wonder how to verify that it actually
uses TLS.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #2 from Mirko Tietgen  ---
Can this be tested locally or do I need to set up an external MySQL DB?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Mirko Tietgen  changed:

   What|Removed |Added

 CC||mi...@abunchofthings.net

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

--- Comment #1 from Chris Cormack  ---
Created attachment 45992
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45992=edit
Bug 15427 : Enable TLS support for MySQL

In summary, changes are:
1) If you have chosen MySQL, Makefile.PL will ask you if you want TLS (default:
"no"), and then the locations for CA cert, client cert and client key
(reasonable defaults are provided). Settings , ,  and  are
added in koha-conf.xml
2) If yes in koha-conf.xml, the installer and database connection
scripts add the TLS options in both DBI connection strings and mysql command
line

To test
1/ Apply patch
2/ Check everything still works and db connections are the same as before
3/ Either run Makefile.PL and step through the options or edit your
koha-conf.xml to
enable TLS
4/ Check db connections are still working

Patch provided to me by Dimitris Kamenopoulos and I reformatted it into a git
patch,
any errors are probably mine

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 15427] Allow db connections using TLS

[bugzilla-daemon]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15427

Chris Cormack  changed:

   What|Removed |Added

 Status|NEW |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/