Hi Quentin,
I've looked for this function in the source code of SOGo, but couldn't
find it yet.
Most time people mix up a lot about TLS:
I have a mariadb server which is configured to only accept connections
via TLS on port 3306.
So a client has to do a STARTTLS before logging in. Then the server
provides his server certificate
which the client should verify against all known and trusted CA
certificates.
If the server then should also verify the identity of the client, the
client can provide his client certificate
which then the server can verify against all CA certificate he knows.
In our case we don't use client certificates (so no certificate for the
sogo mysql client).
I expected the options
MySQL4SSLEnabled = YES;
MySQL4SSLCaPath = "/etc/certs/ca_chain.crt";
would be enough to enable TLS and the verify of the server certificate.
But if I do a tcpdump between the sogo machine and the mariadb server I
can't see any switch to TLS.
Therefore the DB server rejects the plain login attempt.
The question now is whether SOGo can do what I expect?
Or do I miss something?
Kind regards,
Thomas
On 2/7/25 16:04, qhivert (qhiv...@alinto.eu) wrote:
If this is any help, sogo use the mysql library and this method to set the ssl:
https://dev.mysql.com/doc/c-api/5.7/en/mysql-ssl-set.html
mysql_ssl_set(MYSQL *mysql,
const char *key, -> MySQL4SSLKeyPath
const char *cert, -> MySQL4SSLCertPath
const char *ca, -> MySQL4SSLCaPath
const char *capath, -> Null
const char *cipher) -> Null
Quentin
-----Original Message-----
From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of Thomas Gebert
Sent: vendredi 7 février 2025 15:58
To: users@sogo.nu
Subject: Re: [SOGo] SOGo doesn't use TLS with mariadb
Hello,
thanks for the fast replay.
These two files would be the certificate of the sogo machine.
But I haven't configured client certificates for mariadb.
But I will try it ...
Greetings
Thomas
On 2/7/25 15:53, qhivert (qhiv...@alinto.eu) wrote:
Hello,
Have you tried by adding those too?
MySQL4SSLKeyPath = "/etc/certs/default_key.key"; MySQL4SSLCertPath =
"/etc/certs/default_cert.crt";
Quentin
-----Original Message-----
From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of
Thomas Gebert
Sent: vendredi 7 février 2025 15:43
To: users@sogo.nu
Subject: [SOGo] SOGo doesn't use TLS with mariadb
Hello,
If have setup a mariadb server tgt-db01.cluster.lxc (10.0.3.45) with
=========================================
[mariadb]
bind-address=*
port = 3306
max_allowed_packet = 32M
max_connections = 800
log-bin # enable binary logging
## SSL settings
ssl_cert = /etc/certs/default_cert.crt ssl_key =
/etc/certs/default_key.key ssl_ca = /etc/certs/ca_chain.crt
require_secure_transport=ON
[client-mariadb]
ssl_ca = /etc/certs/ca_chain.crt
ssl-verify-server-cert = TRUE
=========================================
SOGo ist configured :
/* Database */
SOGoProfileURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_user_profile";
OCSFolderInfoURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL =
"mysql://sogo:c179eF5r43Bl=F84h1sie_F1i0tra1@10.0.3.45:3306/sogo/sogo_
alarms_folder";
MySQL4SSLEnabled = YES;
MySQL4SSLCaPath = "/etc/certs/ca_chain.crt";
But when I test the connection with tcpdump I can only see a plain login
connection.
Can anybody see what is wrong?
I double checked the (selfsigned) certificates ...
When I change the setting require_secure_transport for mariadb to OFF and
restart the instance sogo can connect.
To make it clear, I want to set up TLS for the serverside but until now I don't
want a client certificate.
I don't understand why it doesn't work.
Greetings
Thomas
--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de
Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin
--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de
Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin
--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de
Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin
