[ZBXNEXT-3313] Implement support for TLS on MySQL connections Created: 2016 Jun 18  Updated: 2017 Jun 27  Resolved: 2017 Jun 27

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Proxy (P), Server (S)
Affects Version/s: 2.2.13, 2.4.8, 3.0.3
Fix Version/s: None

Type: New Feature Request Priority: Minor
Reporter: Scott Buettner Assignee: Unassigned
Resolution: Duplicate Votes: 3
Labels: database, encryption, mysql, patch
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MySQL

Attachments: Text File tls_2.2.13.patch    
Issue Links:
Duplicate
duplicates ZBXNEXT-2753 Add support for using SSL when connec... Closed

 Description   

Zabbix does not currently have support for TLS on MySQL connections between the Server/Proxy and the database. This would be desirable for increased security in cloud environments, such as Amazon Web Services (Amazon RDS offers TLS but Zabbix does not have a way to take advantage of it).

MySQL TLS docs:

http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html
http://dev.mysql.com/doc/refman/5.5/en/mysql-ssl-set.html

I have attached a patch for 2.2.13 that adds this support. I am happy to patch 2.4.8 and 3.0.3 once I get some feedback on code style/acceptance.

Patch Testing:

I have successfully compiled this patch against MySQL client library version 5.5, and verified that with the new configuration parameters in place the connection uses TLS (using MySQL's ability to 'REQUIRE SSL' on user accounts). Testing was done with self-signed certificates. Using the same self-signed certificate for both sides (certificate and CA) connects, using a different certificate for each side does not connect (valid behavior). Proxy and Server both behave as desired. I also tested that --with-sqlite3 vs --with-mysql still functions as expected with this patch in place.

 Comments   
Comment by Marc [ 2016 Jun 20 ]

dasterin,

in regards to "[...] code style/acceptance [...] you can take a look at:
http://zabbix.org/wiki/Docs/specs/coding_style

Comment by Glebs Ivanovskis (Inactive) [ 2017 Jan 26 ]

I can't comment on "acceptance", but coding style is pretty decent and Zabbix-like. Speaking of version to patch - always go for trunk. New features (which this request is) can only be implemented in trunk and made available in new major release.

What I am reading from MySQL documentation is:

mysql_ssl_set() provides information for establishing a secure connection, but does not require that the connection established actually be encrypted. To require a secure connection prior to calling mysql_real_connect(), call mysql_options(), passing the MYSQL_OPT_SSL_MODE option with a value of SSL_MODE_REQUIRED.

We would need to spend a lot of time investigating this sensitive subject and covering all aspects that might get wrong (e.g. parameter validation for TLS support added in 3.0 takes ~2k lines of code).

Comment by Glebs Ivanovskis (Inactive) [ 2017 Jun 27 ]

Closing as Duplicate of ZBXNEXT-2753.

Generated at Sat Apr 20 12:51:51 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.