Restores support for SSL MySQL connections in Silverstripe 4
Silverstripe 4 does not allow MySQL connections over SSL. The feature was removed during the early betas for unknown reasons and has not yet been restored. An issue has been raised but remains unfixed. This module adds that support back in.
composer require elliotsawyer/silverstripe-mysql-ssl
Set the following variables in your .env
SS_DATABASE_CLASS="ElliotSawyer\SSLMySQLDatabase\SSLMySQLDatabase" #this must be an IP address, localhost will not work SS_DATABASE_SERVER="127.0.0.1" SS_DATABASE_USERNAME="..." SS_DATABASE_PASSWORD="..." SS_DATABASE_SSL_KEY="/path/to/client-key.pem" SS_DATABASE_SSL_CERT="/path/to/client-cert.pem" SS_DATABASE_SSL_CA="/path/to/ca-cert.pem"
If the certificates and key are not defined, the database will connect without the SSL connection.
PDO will not work (see below) - you must use MySQLi. By default MySQLi will attempt verify your SSL certificate before connecting. You will need to disable this if you are using self-signed certificates.
ElliotSawyer\SSLMySQLDatabase\SSL_MySQLiConnector: verify_ssl_certificate: false
When your webserver and MySQL are on the same server, communication is done through socket connections and SSL is mostly irrelevant. MySQLi expects an IP address when using SSL, so use 127.0.0.1 in this case.
For connections over a network, you must use an IP address or database host as the hostname.
If you see an error
this stream does not support SSL/crypto, this is the most likely cause.
When using PDO with SSL, PHP aborts with a "Trap 6" error. This is usually due to use of unverified certs, and may be related to non-existed hostnames in the CN attributes of the cert. A flag exists to override this behaviour but does not seem to work in some recent versions of PHP.
MySQLi has a similar issue, but its flag does work. As such, this module requires you to use MySQLiConnector instead of PDOConnector. In practice, this should not be an issue because Silverstripe's ORM will handle database abstraction.
You can verify that the secure connection is working by running the following SQL command:
DB::query("SHOW STATUS LIKE '%ssl_cipher'");. If you are connected via SSL, you will get an array with one result:
[ Variable_name => Ssl_cipher, Value => DHE-RSA-AES256-SHA ]
If you have the environmentcheck module installed, this is checked automatically and fails if an unsecured connection is used.
Contributions are more than welcome! Please raise some issues or create pull requests on the Github repo.
Need some extra help or just love my work? Consider shouting me a coffee or a small donation if this module helped you solve a problem. I accept cryptocurrency at the following addresses:
Module rating system helping users find modules that are well supported. For more on how the rating system works visit Module standards
Score not correct? Let us know there is a problem