🐛 N°8115 - Unattended Install: unable to connect to MySQL with TLS

[tomrss]

Base information

Question	Answer
Related to a SourceForge thead / Another PR / Combodo ticket?	No
Type of change?	Bug fix

Symptom (bug) / Objective (enhancement)

Unattended install process does not support TLS connections to MySQL.

Reproduction procedure (bug)

1. On iTop 3.2.0-2 (not related to version)
2. With PHP 8.3.12 (not related to version)
3. MySQL instance configured with require_secure_transport=ON
4. Setup MySQL connections with TLS (config db_tls.enabled and db_tls.ca)
5. Then launch the setup/unattended-install/unattended-install.php script
6. Finally, see that the TLS connection to MySQL cannot be established:

Fatal error: Uncaught mysqli_sql_exception: Connections using insecure transport are prohibited while --require_secure_transport=ON. in /var/www/html/setup/unattended-install/unattended-install.php:313

Cause (bug)

TLS connection not implemented in the unattended install script:

iTop/setup/unattended-install/unattended-install.php

Lines 220 to 221 in ea5473a

	$oMysqli = new mysqli($sDBServer, $sDBUser, $sDBPwd);
	if ($oMysqli->connect_errno)

and

iTop/setup/unattended-install/unattended-install.php

Lines 313 to 314 in ea5473a

	$oMysqli = new mysqli($sDBServer, $sDBUser, $sDBPwd);
	if (!$oMysqli->connect_errno)

Proposed solution (bug and enhancement)

Add support for TLS connection based on this code in the docs and existing MySQL connection code in the app:

iTop/core/cmdbsource.class.inc.php

Lines 174 to 186 in ea5473a

	$oMysqli = new mysqli();
	if ($bTlsEnabled)
	{
	$iFlags = (empty($sTlsCa))
	? MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
	: MYSQLI_CLIENT_SSL;
	$sTlsCert = null; // not implemented
	$sTlsCaPath = null; // not implemented
	$sTlsCipher = null; // not implemented
	$oMysqli->ssl_set($bTlsEnabled, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher);
	}
	$oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort, ini_get("mysqli.default_socket"), $iFlags);

Disclaimer: PHP is not my language, sorry if something is broken or strange! Just let me know and I'll fix it.

Checklist before requesting a review

• I have performed a self-review of my code
• I have tested all changes I made on an iTop instance
• I have added a unit test, otherwise I have explained why I couldn't
• Is the PR clear and detailed enough so anyone can understand digging in the code?

[Hipska]

Looks good, may as well make use of the return value of the connect method..

[jf-cbd]

Accepted in functional review, it should be added in iTop 3.2.1.

[rquetiez]

Though the fix is relevant, it would be even more relevant to invoke CMDBSource::GetMysqliInstance to do the job:

1. This refactor is feasible because GetMysqliInstance is purely static. Note that it throws Exceptions in case of failure.
2. There is already another difference between the proposed implementation and the implementation of GetMysqliInstance that is relevant to all use cases. See the call to real_connect on line 186 that takes into account the PHP setting mysqli.default_socket
3. We will automatically benefit from future improvements of GetMysqliInstance

[tomrss]

Thanks for the feedback @rquetiez , i copied the snippet exactly from that class, but I didn't know if coupling with core part was desirable.

I'll implement the requested changes within a couple of days.

[jf-cbd]

Thank you for this contribution @tomrss 😊