Merge pull request #3481 from marianrh/feature/optionally-disable-mysql-server-certificate-validation

Allow disabling MySQL server certificate validation by setting ssl_do_not_verify_server_cert

application/forms/Config/Resource/DbResourceForm.php

@@ -176,6 +176,18 @@ class DbResourceForm extends Form
                 )
             );
             if (isset($formData['use_ssl']) && $formData['use_ssl']) {
+                if (defined('\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')) {
+                    $this->addElement(
+                        'checkbox',
+                        'ssl_do_not_verify_server_cert',
+                        array(
+                            'label'             => $this->translate('SSL Do Not Verify Server Certificate'),
+                            'description'       => $this->translate(
+                                'Whether to disable verification of the server certificate'
+                            )
+                        )
+                    );
+                }
                 $this->addElement(
                     'text',
                     'ssl_key',

application/locale/de_DE/LC_MESSAGES/icinga.po

@@ -3868,3 +3868,11 @@ msgstr "umschalten"
 
 #~ msgid "for"
 #~ msgstr "für"
+
+#: ../../../../application/forms/Config/Resource/DbResourceForm.php:176
+msgid "SSL Do Not Verify Server Certificate"
+msgstr "SSL-Serverzertifikat nicht verifizieren"
+
+#: ../../../../application/forms/Config/Resource/DbResourceForm.php:178
+msgid "Whether to disable verification of the server certificate"
+msgstr "Die Verifikation des Serverzertifikats deaktivieren"

doc/04-Resources.md

@@ -23,21 +23,22 @@ ssh                      | Manage [SSH](04-Resources.md#resources-configuration-
 A Database resource defines a connection to a SQL database which
 can contain users and groups to handle authentication and authorization, monitoring data or user preferences.
 
-Option                   | Description
--------------------------|-----------------------------------------------
-type                     | **Required.** Specifies the resource type. Must be set to `db`.
-db                       | **Required.** Database type. In most cases `mysql` or `pgsql`.
-host                     | **Required.** Connect to the database server on the given host. For using unix domain sockets, specify `localhost` for MySQL and the path to the unix domain socket directory for PostgreSQL.
-port                     | **Required.** Port number to use. MySQL defaults to `3306`, PostgreSQL defaults to `5432`. Mandatory for connections to a PostgreSQL database.
-username                 | **Required.** The database username.
-password                 | **Required.** The database password.
-dbname                   | **Required.** The database name.
-charset                  | **Optional.** The character set for the database connection.
-ssl\_cert                | **Optional.** The file path to the SSL certificate. Only available for the `mysql` database.
-ssl\_key                 | **Optional.** The file path to the SSL key. Only available for the `mysql` database.
-ssl\_ca                  | **Optional.** The file path to the SSL certificate authority. Only available for the `mysql` database.
-ssl\_capath              | **Optional.** The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format.Only available for the `mysql` database.
-ssl\_cipher              | **Optional.** A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. For example: `DHE-RSA-AES256-SHA:AES128-SHA`. Only available for the `mysql` database.
+Option                              | Description
+------------------------------------|------------
+type                                | **Required.** Specifies the resource type. Must be set to `db`.
+db                                  | **Required.** Database type. In most cases `mysql` or `pgsql`.
+host                                | **Required.** Connect to the database server on the given host. For using unix domain sockets, specify `localhost` for MySQL and the path to the unix domain socket directory for PostgreSQL.
+port                                | **Required.** Port number to use. MySQL defaults to `3306`, PostgreSQL defaults to `5432`. Mandatory for connections to a PostgreSQL database.
+username                            | **Required.** The database username.
+password                            | **Required.** The database password.
+dbname                              | **Required.** The database name.
+charset                             | **Optional.** The character set for the database connection.
+ssl\_do\_not\_verify\_server\_cert  | **Optional.** Disable validation of the server certificate. Only available for the `mysql` database and on PHP versions > 5.6.
+ssl\_cert                           | **Optional.** The file path to the SSL certificate. Only available for the `mysql` database.
+ssl\_key                            | **Optional.** The file path to the SSL key. Only available for the `mysql` database.
+ssl\_ca                             | **Optional.** The file path to the SSL certificate authority. Only available for the `mysql` database.
+ssl\_capath                         | **Optional.** The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format.Only available for the `mysql` database.
+ssl\_cipher                         | **Optional.** A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. For example: `DHE-RSA-AES256-SHA:AES128-SHA`. Only available for the `mysql` database.
 
 
 #### Example <a id="resources-configuration-database-example"></a>

library/Icinga/Data/Db/DbConnection.php

@@ -185,6 +185,11 @@ class DbConnection implements Selectable, Extensible, Updatable, Reducible, Insp
                     if ($this->config->ssl_cipher) {
                         $adapterParamaters['driver_options'][PDO::MYSQL_ATTR_SSL_CIPHER] = $this->config->ssl_cipher;
                     }
+                    if (defined('PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')
+                        && $this->config->ssl_do_not_verify_server_cert
+                    ) {
+                        $adapterParamaters['driver_options'][PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = false;
+                    }
                 }
                 /*
                  * Set MySQL server SQL modes to behave as closely as possible to Oracle and PostgreSQL. Note that the

modules/monitoring/library/Monitoring/BackendStep.php

@@ -114,6 +114,16 @@ class BackendStep extends Step
                 . '<td>' . str_repeat('*', strlen($this->data['resourceConfig']['password'])) . '</td>'
                 . '</tr>';
 
+            if (defined('\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')
+                && isset($this->data['resourceConfig']['ssl_do_not_verify_server_cert'])
+                && $this->data['resourceConfig']['ssl_do_not_verify_server_cert']
+            ) {
+                $resourceHtml .= ''
+                    . '<tr>'
+                    . '<td><strong>' . t('SSL Do Not Verify Server Certificate') . '</strong></td>'
+                    . '<td>' . $this->data['resourceConfig']['ssl_do_not_verify_server_cert'] . '</td>'
+                    . '</tr>';
+            }
             if (isset($this->data['resourceConfig']['ssl_key']) && $this->data['resourceConfig']['ssl_key']) {
                 $resourceHtml .= ''
                     .'<tr>'

modules/setup/library/Setup/Steps/ResourceStep.php

@@ -91,6 +91,16 @@ class ResourceStep extends Step
                 . '<td>' . str_repeat('*', strlen($this->data['dbResourceConfig']['password'])) . '</td>'
                 . '</tr>';
 
+            if (defined('\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')
+                && isset($this->data['resourceConfig']['ssl_do_not_verify_server_cert'])
+                && $this->data['resourceConfig']['ssl_do_not_verify_server_cert']
+            ) {
+                $dbHtml .= ''
+                    . '<tr>'
+                    . '<td><strong>' . t('SSL Do Not Verify Server Certificate') . '</strong></td>'
+                    . '<td>' . $this->data['resourceConfig']['ssl_do_not_verify_server_cert'] . '</td>'
+                    . '</tr>';
+            }
             if (isset($this->data['dbResourceConfig']['ssl_key']) && $this->data['dbResourceConfig']['ssl_key']) {
                 $dbHtml .= ''
                     .'<tr>'

modules/setup/library/Setup/Utils/DbTool.php

@@ -280,6 +280,11 @@ class DbTool
                 if ($this->config['ssl_cipher']) {
                     $config['driver_options'][PDO::MYSQL_ATTR_SSL_CIPHER] = $this->config['ssl_cipher'];
                 }
+                if (defined('PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')
+                    && $this->config['ssl_do_not_verify_server_cert']
+                ) {
+                    $config['driver_options'][PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = false;
+                }
             }
             $this->zendConn = new Zend_Db_Adapter_Pdo_Mysql($config);
         } elseif ($this->config['db'] === 'pgsql') {
@@ -330,6 +335,11 @@ class DbTool
             if ($this->config['ssl_cipher']) {
                 $driverOptions[PDO::MYSQL_ATTR_SSL_CIPHER] = $this->config['ssl_cipher'];
             }
+            if (defined('PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT')
+                && $this->config['ssl_do_not_verify_server_cert']
+            ) {
+                $driverOptions[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = false;
+            }
         }
 
         $this->pdoConn = new PDO(