From 680c818999f50daa1ad3b80317b101bf0205c441 Mon Sep 17 00:00:00 2001 From: Brian Lalor Date: Thu, 3 Sep 2015 18:41:21 -0400 Subject: [PATCH] Allow MySQL to use SSL connections --- src/collectd.conf.in | 5 +++++ src/collectd.conf.pod | 28 +++++++++++++++++++++++++++- src/mysql.c | 39 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/src/collectd.conf.in b/src/collectd.conf.in index e3f2aa33..8eb08a6f 100644 --- a/src/collectd.conf.in +++ b/src/collectd.conf.in @@ -738,6 +738,11 @@ # User "db_user" # Password "secret" # Database "db_name" +# SSLKey "/path/to/key.pem" +# SSLCert "/path/to/cert.pem" +# SSLCA "/path/to/ca.pem" +# SSLCAPath "/path/to/cas/" +# SSLCipher "DHE-RSA-AES256-SHA" # MasterStats true # ConnectTimeout 10 # InnodbStats true diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod index 6ada5f16..f3ff4bb9 100644 --- a/src/collectd.conf.pod +++ b/src/collectd.conf.pod @@ -3734,6 +3734,11 @@ Synopsis: Port "3306" MasterStats true ConnectTimeout 10 + SSLKey "/path/to/key.pem" + SSLCert "/path/to/cert.pem" + SSLCA "/path/to/ca.pem" + SSLCAPath "/path/to/cas/" + SSLCipher "DHE-RSA-AES256-SHA" @@ -3755,7 +3760,8 @@ Synopsis: A B block defines one connection to a MySQL database. It accepts a single argument which specifies the name of the database. None of the other options are required. MySQL will use default values as documented in the -section "mysql_real_connect()" in the B. +"mysql_real_connect()" and "mysql_ssl_set()" sections in the +B. =over 4 @@ -3830,6 +3836,26 @@ or SQL threads are not running. Defaults to B. Sets the connect timeout for the MySQL client. +=item B I + +If provided, the X509 key in PEM format. + +=item B I + +If provided, the X509 cert in PEM format. + +=item B I + +If provided, the CA file in PEM format (check OpenSSL docs). + +=item B I + +If provided, the CA directory (check OpenSSL docs). + +=item B I + +If provided, the SSL cipher to use. + =back =head2 Plugin C diff --git a/src/mysql.c b/src/mysql.c index 6ba30057..2ad91ca3 100644 --- a/src/mysql.c +++ b/src/mysql.c @@ -47,6 +47,14 @@ struct mysql_database_s /* {{{ */ char *user; char *pass; char *database; + + // mysql_ssl_set params + char *key; + char *cert; + char *ca; + char *capath; + char *cipher; + char *socket; int port; int timeout; @@ -88,6 +96,11 @@ static void mysql_database_free (void *arg) /* {{{ */ sfree (db->socket); sfree (db->instance); sfree (db->database); + sfree (db->key); + sfree (db->cert); + sfree (db->ca); + sfree (db->capath); + sfree (db->cipher); sfree (db); } /* }}} void mysql_database_free */ @@ -127,6 +140,12 @@ static int mysql_config_database (oconfig_item_t *ci) /* {{{ */ db->user = NULL; db->pass = NULL; db->database = NULL; + db->key = NULL; + db->cert = NULL; + db->ca = NULL; + db->capath = NULL; + db->cipher = NULL; + db->socket = NULL; db->con = NULL; db->timeout = 0; @@ -169,6 +188,16 @@ static int mysql_config_database (oconfig_item_t *ci) /* {{{ */ status = cf_util_get_string (child, &db->socket); else if (strcasecmp ("Database", child->key) == 0) status = cf_util_get_string (child, &db->database); + else if (strcasecmp ("SSLKey", child->key) == 0) + status = cf_util_get_string (child, &db->key); + else if (strcasecmp ("SSLCert", child->key) == 0) + status = cf_util_get_string (child, &db->cert); + else if (strcasecmp ("SSLCA", child->key) == 0) + status = cf_util_get_string (child, &db->ca); + else if (strcasecmp ("SSLCAPath", child->key) == 0) + status = cf_util_get_string (child, &db->capath); + else if (strcasecmp ("SSLCipher", child->key) == 0) + status = cf_util_get_string (child, &db->cipher); else if (strcasecmp ("ConnectTimeout", child->key) == 0) status = cf_util_get_int (child, &db->timeout); else if (strcasecmp ("MasterStats", child->key) == 0) @@ -246,6 +275,8 @@ static int mysql_config (oconfig_item_t *ci) /* {{{ */ static MYSQL *getconnection (mysql_database_t *db) { + const char *cipher; + if (db->is_connected) { int status; @@ -273,6 +304,8 @@ static MYSQL *getconnection (mysql_database_t *db) /* Configure TCP connect timeout (default: 0) */ db->con->options.connect_timeout = db->timeout; + mysql_ssl_set (db->con, db->key, db->cert, db->ca, db->capath, db->cipher); + if (mysql_real_connect (db->con, db->host, db->user, db->pass, db->database, db->port, db->socket, 0) == NULL) { @@ -284,10 +317,14 @@ static MYSQL *getconnection (mysql_database_t *db) return (NULL); } + cipher = mysql_get_ssl_cipher (db->con); + INFO ("mysql plugin: Successfully connected to database %s " - "at server %s (server version: %s, protocol version: %d)", + "at server %s with cipher %s " + "(server version: %s, protocol version: %d) ", (db->database != NULL) ? db->database : "", mysql_get_host_info (db->con), + (cipher != NULL) ? cipher : "", mysql_get_server_info (db->con), mysql_get_proto_info (db->con)); -- 2.30.2