Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Add documentation to sites/default/default.settings.php describing how to use the $databases[default][default][pdo] array to make a secure connection to a MySQL DB.
Comment | File | Size | Author |
---|---|---|---|
#44 | 1926284-44.patch | 1.39 KB | ravi.shankar |
#29 | drupal-n1926284-29.patch | 1.38 KB | gaurav.kapoor |
#26 | interdiff-21-26.txt | 563 bytes | gaurav.kapoor |
#26 | drupal-n1926284-26.patch | 1.4 KB | gaurav.kapoor |
#21 | interdiff-18-21.txt | 950 bytes | gaurav.kapoor |
Comments
Comment #1
JWSmith CreditAttribution: JWSmith commentedProposed additions supplied in attached patch file.
Comment #2
shrop CreditAttribution: shrop commentedChanging status to needs review
Comment #3
shrop CreditAttribution: shrop commentedI manually applied the patch in #1 and it worked/looked fined except for one small misspelling. I corrected that and attached an updated patch to this comment.
I also use @JohnWSmith's method for setting up MySQL communications over SSL in the settings.php file. It works nicely. I think this documentation addition will raise awareness of this security related configuration. I would also like to see this in core so it is available without patching in the Guardr Drupal security distribution (At this time, inclusion in Guardr will require a 7.x backport.)
Comment #4
danblack CreditAttribution: danblack commentedlooks good here. Good work.
Comment #5
McGo CreditAttribution: McGo at undpaul commentedPatch from #3 applied successfully and looks good.
Comment #7
tomthorp CreditAttribution: tomthorp commentedI'm currently running Drupal 8.1.8 on a Fedora 24 server with the following configuration :
PHP 7.0.9
MariaDB 10.0.16
PHP-FPM
Apache 2.4.23
I have been able to create the SSL certificates for the CA, Server and Client, and have successfully tested connectivity via the MySQL client. However I have not been able to connect Drupal 8 to the MariaDB database via SSL . I have seen two different versions of the database configuration in settings.php on drupal.org, however both versions have been unsuccessful.
Scenario 1
=========
$databases['default']['default'] = array (
'database' => 'drupal8',
'username' => 'dbuserssh',
'password' => '****',
'prefix' => '',
'host' => '127.0.0.1',
'port' => '3306',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
'pdo' => array(
MYSQL_ATTR_SSL_KEY => '/sites/tomthorp_intnet/client-key.pem',
MYSQL_ATTR_SSL_CERT => '/sites/tomthorp_intnet/client-cert.pem',
MYSQL_ATTR_SSL_CA => '/sites/tomthorp_intnet/ca.pem',
),
);
yields ....
[13-Aug-2016 03:43:03 UTC] PDOException: SQLSTATE[HY000] [1045] Access denied for user 'dbuserssh'@'localhost' (using password: YES) in /usr/share/website/drupal/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php on line 79
Scenario 2
=========
$databases['default']['default'] = array (
'database' => 'drupal8',
'username' => 'dbuserssh',
'password' => '******',
'prefix' => '',
'host' => '127.0.0.1',
'port' => '3306',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
'pdo' => array(
PDO::MYSQL_ATTR_SSL_KEY => '/sites/tomthorp_intnet/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/sites/tomthorp_intnet/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/sites/tomthorp_intnet/ca.pem',
),
);
yields ....
[13-Aug-2016 03:36:27 UTC] PDOException: SQLSTATE[HY000] [2002] in /usr/share/website/drupal/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php on line 79
Has anyone been able to get SSL database connectivity to work in Drupal 8, as there appears to be plenty of examples of SSL working in Drupal 7. Any input would be much appreciated.
Comment #10
cferthorneyThis works on my Drupal 8 setup. Should we consider a "Backport to D7" tag?
Comment #11
shrop CreditAttribution: shrop at Mediacurrent commentedComment #12
DamienMcKennaRerolled, moved the word "the" to a previous line and changed the array to short syntax.
Comment #13
daffie CreditAttribution: daffie commentedThe patch looks good, but I have some remarks:
Comment #14
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedComment #15
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedComment #16
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedPlease ignore that one.I will upload another patch.
Comment #17
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedComment #18
Pavan B S CreditAttribution: Pavan B S at Valuebound commentedLine exceeding 80 characters
Applying the patch, please review.
Comment #19
daffie CreditAttribution: daffie commentedLooks better. Some remarks:
Can we change this to: "For requiring a SSL connection to a PostgreSQL database add:"
There are no such PDO attributes for PostgreSQL
Comment #20
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedThanks for review @daffie. Regarding 19.2 i also wasn't sure about them , saw that in some solutions on stackexchange. Does the MySQL way sufficient for postgresql as well.??
Comment #21
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedComment #22
daffie CreditAttribution: daffie commentedLooks good to me. Just one remark:
Can we change the text to: "SQLite databases do not support a SSL connection, because they only live on the localhost."
Comment #23
shrop CreditAttribution: shrop at Mediacurrent commentedAdding Guardr tag back in. We use this for tracking issues related to the Guardr distro. Thanks!
Comment #24
daffie CreditAttribution: daffie commented@shrop: Sorry about removing the tag.
Comment #25
shrop CreditAttribution: shrop at Mediacurrent commented@daffie: No worries! Thanks for the help on this issue!
Comment #26
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedComment #27
daffie CreditAttribution: daffie commentedLooks good to me.
@gaurav.kapoor: Thanks for working on this.
Comment #28
cilefen CreditAttribution: cilefen commentedThank you all for picking this one up. It is needed.
"the'pdo'"
I am not sure what "database layer" means in this context. It just seems confusing. Are we not talking about "network connection security"?
a/an
a/an, some text wrapping issues. I would suggest "...do not support SSL connections."
"of the database" is not needed.
All in all, this patch needs work. It starts off by explaining that advanced users can do something with PDO for MySQL, then moves on to (seemingly) non-PDO instructions for Postgre, then discusses SQLite, then back to a general statement about PDO. So, the organization could be much improved.
Comment #29
gaurav.kapoor CreditAttribution: gaurav.kapoor at OpenSense Labs commentedFixed some of the points suggested in 28 and rearranged documentation contents.
Comment #31
damontgomery CreditAttribution: damontgomery commentedI'm seeing the same issues as #7. Because of this, I'm marking this as `needs work`. As far as I can tell, the constants are written incorrectly and with the right ones, there are issues.
I'm using Drupal 8.3.7 core by itself with MySQL 5.7.19 on RHEL.
Namely, the patches point to constants
MYSQL_ATTR_SSL_KEY
MYSQL_ATTR_SSL_CERT
MYSQL_ATTR_SSL_CA
These don't seem to exist. The following constants do exist and are mentioned in some of the comments. See http://php.net/manual/en/ref.pdo-mysql.php for these constants as well.
PDO::MYSQL_ATTR_SSL_KEY
PDO::MYSQL_ATTR_SSL_CERT
PDO::MYSQL_ATTR_SSL_CA
If the problematic constants are used, they seem to be ignored. See drush sql-connect and you get something like
mysql --user=myuser --password='mypassword' --database=mydatabase --host=localhost --port=3306
You'll see in the following that there should be several additional parameters that start with --ssl.
If you use the available ones (with PDO::), you get the variables reported, but Drupal cannot fully connect, sql-connect,
mysql --user=myuser --password='mypassword' --database=mydatabase --host=localhost --port=3306 --ssl-ca=/path/to/cert/ca-cert.pem --ssl-cert=/path/to/cert/client-cert.pem --ssl-key=/path/to/cert/client-key.pem
If I add the `PDO::` constants, drush sqlc as well as the string from drush sql-connect work, but drush status produces the error
PDOException: SQLSTATE[HY000] [2002] in /[path-to-docroot]/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php on line 79 #0 /[path-to-docroot]/core/lib/Drupal/Core/Database/Driver/mysql/Connection.php(149): PDO->__construct('mysql:host=loca...', 'myuser', 'mypassword...', Array)
Similarly, the site will not load.
Comment #32
songbintaochina@gmail.com CreditAttribution: songbintaochina@gmail.com as a volunteer commentedsame issue with #7.
environment:
OS: RHEL 6
MySQL: 5.7.20
Drupal: 8.4.2
Can anyone share how it works ?
Comment #35
mathiasgmeiner CreditAttribution: mathiasgmeiner commentedHere is the solution: https://www.kamenov.biz/php-application-cannot-connect-to-mysql-over-ssl/
Comment #36
rjbrown99 CreditAttribution: rjbrown99 commentedThere is another use case that I can't seem to work around - the requirement to use SSL options during Drupal installation. Tested with 8.6.13.
Steps to reproduce:
1) Create mysql/mariadb instance with empty database table per INSTALL.mysql.txt, on a SQL instance that requires SSL connections.
2) Start the Drupal installation process via install.php.
3) Arrive at the database configuration screen, notice that there are no options to input PDO parameters.
OK, nothing in the UI. Let's edit the settings.php file directly and just insert the PDO statements.
1) cp default.settings.php settings.php
2) Edit settings.php, add the PDO parameters to the database array in the file per the instructions on this thread (and I know they are correct, tested with a D7 install using the same SQL instance)
3) Visit the install.php installer, and now notice that "Drupal already installed" - the installer won't proceed.
Unless I'm missing something, there is a check in the installer that would also need to be changed so it does not think Drupal is already installed when you add the PDO statements to an otherwise vanilla settings.php file.
Comment #37
JWSmith CreditAttribution: JWSmith as a volunteer commentedAs long as no DB tables are present, I've never had an issue with configuring the DB settings prior to installing. Having said that, I haven't tried that method on D8 installs. We no longer use the PDO SSL method for making SSL DB connections, as making SSL based connections to MySQL/MariaDB are very expensive in terms of time to connect. This has been well documented and is caused by the setup and tear down of the SSL connection protocols.
We still use SSL connections, but we do so through SSL tunnels provided by STUNNEL. Basically drupal connects to 127.0.0.1:3306 which is really a tunnel provided by STUNNEL to the backend MariaDB server listening on 127.0.0.1:3306. You would then setup up users on MariaDB as 'localhost' users only, further securing the DB's.
Comment #38
cdeces CreditAttribution: cdeces as a volunteer commentedI have issues with the initial installation process when using a REQUIRED SSL connection.
I had the following database configuration on a fresh settings.php (copied from default.settings.php)
The installation process goes through the following steps:
1/ language selection (2 tables created in the database -> yippy connection is working)
2/ requirement checked (OPcache is not installed)
3/ database information form which displays the information present in settings.php, but without the pdo details ...
continue -> Drupal already installed (apache error logs shows SSL connection is required, even though few more tables have been created in the process)
I would suggest that only PDO::MYSQL_ATTR_SSL_CA be marked as required.
There is also something in the install process (maybe in SiteSettingsForm.php) that is not compatible with pdo details.
Thanks
Comment #41
RoSk0I want to stress that various examples and suggestions that using
\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false
is a solution is actually wrong. This attribute turns off server host name verification against CN from certificate which is crucial part of establishing a secure connection.PHP has a good defaults in this regard , e.g. it's enabled by default when
PDO::MYSQL_ATTR_SSL_CA
attribute is supplied (and yes ,PDO::MYSQL_ATTR_SSL_CA
is the only required attribute to instruct PDO to establish secure connection) , but, in some cases, falls short when this verification fails returningSQLSTATE[HY000] [2002]
without any message. Check that your secure connection is actually secure with the MySQL client by adding --ssl-ca parameter specifying path to your CA certificate and --ssl-mode=VERIFY_IDENTITY, likemysql --user=user --database=db_name --host=db-host --port=3306 --ssl-ca=/mnt/secrets/ca-cert -A --ssl-mode=VERIFY_IDENTITY
- it has more details in the output.Comment #43
cafuego CreditAttribution: cafuego at United Nations commentedOn a related note, I have opened an issue to make the site status report show MySQL TLS/SSL info: #3268481: Include database SSL/TLS info on status report.
Comment #44
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedAdded reroll of patch #29 on Drupal 9.4.x.
Comment #48
steinmb CreditAttribution: steinmb at University Of Bergen commentedI am a little confused here. In #850600: PostgreSQL driver doesn't support SSL option is there indication that there is no SSL support but in this issue we have