Allow MySQL to use SSL connections

diff --git a/src/collectd.conf.in b/src/collectd.conf.in
index e3f2aa33505432fe405e996a17a75b6aa4c15fa2..8eb08a6f700cd0d897fc904ed08f640a90addd7c 100644 (file)
--- a/src/collectd.conf.in
+++ b/src/collectd.conf.in
@@ -738,6 +738,11 @@
 #              User "db_user"
 #              Password "secret"
 #              Database "db_name"
+#              SSLKey "/path/to/key.pem"
+#              SSLCert "/path/to/cert.pem"
+#              SSLCA "/path/to/ca.pem"
+#              SSLCAPath "/path/to/cas/"
+#              SSLCipher "DHE-RSA-AES256-SHA"
 #              MasterStats true
 #              ConnectTimeout 10
 #              InnodbStats true

diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 6ada5f16981629f0c34e416421c2f63d5539758c..f3ff4bb9f3fc757d3887e83f200a23729dbf417c 100644 (file)
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
@@ -3734,6 +3734,11 @@ Synopsis:
       Port "3306"
       MasterStats true
       ConnectTimeout 10
+      SSLKey "/path/to/key.pem"
+      SSLCert "/path/to/cert.pem"
+      SSLCA "/path/to/ca.pem"
+      SSLCAPath "/path/to/cas/"
+      SSLCipher "DHE-RSA-AES256-SHA"
     </Database>
 
     <Database bar>
@@ -3755,7 +3760,8 @@ Synopsis:
 A B<Database> block defines one connection to a MySQL database. It accepts a
 single argument which specifies the name of the database. None of the other
 options are required. MySQL will use default values as documented in the
-section "mysql_real_connect()" in the B<MySQL reference manual>.
+"mysql_real_connect()" and "mysql_ssl_set()" sections in the
+B<MySQL reference manual>.
 
 =over 4
 
@@ -3830,6 +3836,26 @@ or SQL threads are not running. Defaults to B<false>.
 
 Sets the connect timeout for the MySQL client.
 
+=item B<SSLKey> I<Path>
+
+If provided, the X509 key in PEM format.
+
+=item B<SSLCert> I<Path>
+
+If provided, the X509 cert in PEM format.
+
+=item B<SSLCA> I<Path>
+
+If provided, the CA file in PEM format (check OpenSSL docs).
+
+=item B<SSLCAPath> I<Path>
+
+If provided, the CA directory (check OpenSSL docs).
+
+=item B<SSLCipher> I<String>
+
+If provided, the SSL cipher to use.
+
 =back
 
 =head2 Plugin C<netapp>

diff --git a/src/mysql.c b/src/mysql.c
index 6ba30057d7f343c8b55c9859fcadd81a5f074949..2ad91ca3f0c90c9e67e882cf8f30b4877de65abc 100644 (file)
--- a/src/mysql.c
+++ b/src/mysql.c
@@ -47,6 +47,14 @@ struct mysql_database_s /* {{{ */
        char *user;
        char *pass;
        char *database;
+       
+       // mysql_ssl_set params
+       char *key;
+       char *cert;
+       char *ca;
+       char *capath;
+       char *cipher;
+
        char *socket;
        int   port;
        int   timeout;
@@ -88,6 +96,11 @@ static void mysql_database_free (void *arg) /* {{{ */
        sfree (db->socket);
        sfree (db->instance);
        sfree (db->database);
+       sfree (db->key);
+       sfree (db->cert);
+       sfree (db->ca);
+       sfree (db->capath);
+       sfree (db->cipher);
        sfree (db);
 } /* }}} void mysql_database_free */
 
@@ -127,6 +140,12 @@ static int mysql_config_database (oconfig_item_t *ci) /* {{{ */
        db->user     = NULL;
        db->pass     = NULL;
        db->database = NULL;
+       db->key      = NULL;
+       db->cert     = NULL;
+       db->ca       = NULL;
+       db->capath   = NULL;
+       db->cipher   = NULL;
+
        db->socket   = NULL;
        db->con      = NULL;
        db->timeout  = 0;
@@ -169,6 +188,16 @@ static int mysql_config_database (oconfig_item_t *ci) /* {{{ */
                        status = cf_util_get_string (child, &db->socket);
                else if (strcasecmp ("Database", child->key) == 0)
                        status = cf_util_get_string (child, &db->database);
+               else if (strcasecmp ("SSLKey", child->key) == 0)
+                       status = cf_util_get_string (child, &db->key);
+               else if (strcasecmp ("SSLCert", child->key) == 0)
+                       status = cf_util_get_string (child, &db->cert);
+               else if (strcasecmp ("SSLCA", child->key) == 0)
+                       status = cf_util_get_string (child, &db->ca);
+               else if (strcasecmp ("SSLCAPath", child->key) == 0)
+                       status = cf_util_get_string (child, &db->capath);
+               else if (strcasecmp ("SSLCipher", child->key) == 0)
+                       status = cf_util_get_string (child, &db->cipher);
                else if (strcasecmp ("ConnectTimeout", child->key) == 0)
                        status = cf_util_get_int (child, &db->timeout);
                else if (strcasecmp ("MasterStats", child->key) == 0)
@@ -246,6 +275,8 @@ static int mysql_config (oconfig_item_t *ci) /* {{{ */
 
 static MYSQL *getconnection (mysql_database_t *db)
 {
+       const char *cipher;
+       
        if (db->is_connected)
        {
                int status;
@@ -273,6 +304,8 @@ static MYSQL *getconnection (mysql_database_t *db)
        /* Configure TCP connect timeout (default: 0) */
        db->con->options.connect_timeout = db->timeout;
 
+       mysql_ssl_set (db->con, db->key, db->cert, db->ca, db->capath, db->cipher);
+
        if (mysql_real_connect (db->con, db->host, db->user, db->pass,
                                db->database, db->port, db->socket, 0) == NULL)
        {
@@ -284,10 +317,14 @@ static MYSQL *getconnection (mysql_database_t *db)
                return (NULL);
        }
 
+       cipher = mysql_get_ssl_cipher (db->con);
+       
        INFO ("mysql plugin: Successfully connected to database %s "
-                       "at server %s (server version: %s, protocol version: %d)",
+                       "at server %s with cipher %s "
+                       "(server version: %s, protocol version: %d) ",
                        (db->database != NULL) ? db->database : "<none>",
                        mysql_get_host_info (db->con),
+                       (cipher != NULL) ?  cipher : "<none>",
                        mysql_get_server_info (db->con),
                        mysql_get_proto_info (db->con));