Hi Quentin,

I've looked for this function in the source code of SOGo, but couldn't find it yet.

Most time people mix up a lot about TLS:

I have a mariadb server which is configured to only accept connections via TLS on port 3306.

So a client has to do a STARTTLS before logging in. Then the server provides his server certificate which the client should verify against all known and trusted CA certificates.

If the server then should also verify the identity of the client, the client can provide his client certificate
which then the server can verify against all CA certificate he knows.

In our case we don't use client certificates (so no certificate for the sogo mysql client).

I expected the options

  MySQL4SSLEnabled = YES;
  MySQL4SSLCaPath = "/etc/certs/ca_chain.crt";

would be enough to enable TLS and the verify of the server certificate.

But if I do a tcpdump between the sogo machine and the mariadb server I can't see any switch to TLS.

Therefore the DB server rejects the plain login attempt.

The question now is whether SOGo can do what I expect?

Or do I miss something?

Kind regards,

Thomas

On 2/7/25 16:04, qhivert (qhiv...@alinto.eu) wrote:
If this is any help, sogo use the mysql library and this method to set the ssl:
https://dev.mysql.com/doc/c-api/5.7/en/mysql-ssl-set.html

mysql_ssl_set(MYSQL *mysql,
               const char *key,       -> MySQL4SSLKeyPath
               const char *cert,      -> MySQL4SSLCertPath
               const char *ca,         -> MySQL4SSLCaPath
               const char *capath,  -> Null
               const char *cipher)   -> Null

Quentin

-----Original Message-----
From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of Thomas Gebert
Sent: vendredi 7 février 2025 15:58
To: users@sogo.nu
Subject: Re: [SOGo] SOGo doesn't use TLS with mariadb

Hello,

thanks for the fast replay.

These two files would be the certificate of the sogo machine.
But I haven't configured client certificates for mariadb.

But I will try it ...

Greetings

Thomas

On 2/7/25 15:53, qhivert (qhiv...@alinto.eu) wrote:
Hello,
Have you tried by adding those too?

MySQL4SSLKeyPath = "/etc/certs/default_key.key"; MySQL4SSLCertPath =
"/etc/certs/default_cert.crt";

Quentin

-----Original Message-----
From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of
Thomas Gebert
Sent: vendredi 7 février 2025 15:43
To: users@sogo.nu
Subject: [SOGo] SOGo doesn't use TLS with mariadb

Hello,

If have setup a mariadb server tgt-db01.cluster.lxc (10.0.3.45) with

=========================================
[mariadb]
bind-address=*
port = 3306

max_allowed_packet = 32M
max_connections = 800

log-bin                         # enable binary logging

## SSL settings
ssl_cert = /etc/certs/default_cert.crt ssl_key =
/etc/certs/default_key.key ssl_ca = /etc/certs/ca_chain.crt
require_secure_transport=ON

[client-mariadb]
ssl_ca = /etc/certs/ca_chain.crt
ssl-verify-server-cert = TRUE
=========================================

SOGo ist configured :

     /* Database */
     SOGoProfileURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_user_profile";
     OCSFolderInfoURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_folder_info";
     OCSSessionsFolderURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_sessions_folder";
     OCSEMailAlarmsFolderURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_
alarms_folder";

     MySQL4SSLEnabled = YES;
     MySQL4SSLCaPath = "/etc/certs/ca_chain.crt";

But when I test the connection with tcpdump I can only see a plain login 
connection.

Can anybody see what is wrong?

I double checked the (selfsigned) certificates ...

When I change the setting require_secure_transport for mariadb to OFF and 
restart the instance sogo can connect.

To make it clear, I want to set up TLS for the serverside but until now I don't 
want a client certificate.

I don't understand why it doesn't work.

Greetings

Thomas

--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin

--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin

--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin

Reply via email to