Currently it's not possible to use SSL for Bugzilla MySQL connections, even though MySQL supports that (and I guess MySQL is what the vast majority of Bugzilla installations uses). This feature helps to provide defense in depth and make Bugzilla data more secure even in case of network perimeter breach. The proposed patch adds this capability and I'm interested in getting your feedback as to the correctness of the approach I took and potential inclusion into mainline. The patch adds 4 parameters into localconfig, which correspond to DBD::mysql SSL-related parameters + logic into Mysql.pm to apply those parameters to connection. As long as localconfig typically includes more generic settings, I was hesitant to use it (after all MySQL is just one of the supported DBs) and was initially thinking about creating an extension instead, which would provide the GUI config page under Administration/Parameters instead of localconfig + introduce the same change into Mysql.pm (or redefine the Mysql.pm::new() within the extension), however that looked even less elegant, so I went the way you see in the patch. This is tested to apply cleanly & work fine on 4.2.6 and trunk.
Created attachment 791475 [details] [diff] [review] Proposed solution v1 Setting Dave as reviewer as he's the first one in teh reviewers list, apologize if the choice is incorrect and please reassign or let me know who to ask for a review in this case.
Attachment #791475 - Flags: review?(dkl)
Assignee: database → aleksandr.v.tereschenko
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → Bugzilla 4.4
Thank you for the patch. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/DB/Mysql.pm modified Bugzilla/Install/Localconfig.pm modified template/en/default/setup/strings.txt.pl Committed revision 8803.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Great, thank you Simon and Byron for the review.
Added to relnotes for 5.0rc1.
You need to log in before you can comment on or make changes to this bug.