I have a site that uses mysql and the mysql server has changed to only allow ssl connections. There doesn’t seem to be a option for supplying ssl certificates in the Kirby database class. Am I correct in thinking that I’ll have to patch the database class in order to get ssl support?
Welcome back to the forum. 
To answer your question, we need to know which Kirby version (2 or 3) you are using.
Also: Does the MySQL setup really require SSL client certificates (REQUIRE X509, REQUIRE ISSUER or REQUIRE SUBJECT) or just an SSL connection (REQUIRE SSL)? The latter will support password authentication, so the Kirby Database class should still work.
Hi, thanks for your reply.
I am using:
|Kirby Toolkit|v2.5.12|
|Kirby CMS|v2.5.12|
I think Mysql does require SSL client certificates.
I can connect through the mysql client using the certificates but not with kirby.
mysql-cli connects normaly but kirby gets:
SQLSTATE[HY000] [1045] Access denied for user
I guess, we need new db.options parameter to use like that:
// config.php
c::set('db.options', array(
PDO::MYSQL_ATTR_SSL_KEY =>'/etc/mysql/ssl/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT=>'/etc/mysql/ssl/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA =>'/etc/mysql/ssl/ca-cert.pem'
));
// toolkit/blob/master/lib/database.php
$this->connection = new PDO($this->dsn, $options['user'], $options['password'], $options['options']);
I did almost the same but I also changed db.php to get options from config.
// db.php
public static function connect($params = null) {
if(is_null($params) && !is_null(static::$connection)) return static::$connection;
if(is_null($params)) {// try to connect with the default connection settings $params = array( 'type' => c::get('db.type', 'mysql'), 'host' => c::get('db.host', 'localhost'), 'user' => c::get('db.user', 'root'), 'password' => c::get('db.password', ''), 'database' => c::get('db.name', ''), 'prefix' => c::get('db.prefix', ''), 'PDO::MYSQL_ATTR_SSL_KEY' => c::get('MYSQL_ATTR_SSL_KEY', ''), 'PDO::MYSQL_ATTR_SSL_CERT' => c::get('MYSQL_ATTR_SSL_CERT', ''), 'PDO::MYSQL_ATTR_SSL_CA' => c::get('MYSQL_ATTR_SSL_CA', ''), 'PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT' => c::get('MYSQL_ATTR_SSL_VERIFY_SERVER_CERT', false), ); } return static::$connection = new Database($params);}
I also added MYSQL_ATTR_SSL_VERIFY_SERVER_CERT
// database.php
$ssl_options = array(
PDO::MYSQL_ATTR_SSL_KEY => $params[‘PDO::MYSQL_ATTR_SSL_KEY’],
PDO::MYSQL_ATTR_SSL_CERT => $params[‘PDO::MYSQL_ATTR_SSL_CERT’],
PDO::MYSQL_ATTR_SSL_CA => $params[‘PDO::MYSQL_ATTR_SSL_CA’],
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => $params[‘PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT’]
);$this->connection = new PDO($this->dsn, $options['user'], $options['password'], $ssl_options);
I didn’t test it, work properly with that modification?
Yes it works now.
This setup with actual client certs being required is indeed not supported by Kirby at the moment.
We most likely won’t add this feature to Kirby 2, but I have created an idea issue for Kirby 3. As this is a rather edge-case setup that few people use (no one has suggested this feature so far), I’m not sure if we should add it to the core though as it increases complexity. Let’s see how many upvotes this gets.