MySQL SSL support added

2025-10-23 20:11:17 +02:00 · 2014-08-16 06:51:58 +00:00 · 2014-08-16 06:51:58 +00:00 · 00f2a84f56
commit 00f2a84f56
parent f904f07969
10 changed files with 67 additions and 8 deletions
--- a/1
+++ b/1
@ -2,6 +2,7 @@
 Version 4.1.2.1 'Vitari':
 	- The origin attribute is verified in the subsequent 
 	session messages.
+	- MySQL SSL connection support.
 	- Crash fixed when the DB connection string is incorrect.
 	- Minor docs fixes.
 	
--- a/5
+++ b/5
@ -897,6 +897,11 @@ Or in the turnserver.conf file:

 mysql-userdb="host=localhost dbname=turn user=turn password=turn connect_timeout=30"

+If you have to use a secure MySQL connection (SSL) then you have to use also
+the optional connection string parameters for the secure communications:
+ca, capath, cert, key, cipher (see 
+http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description).
+
 XVI. MongoDB setup

 The MongoDB setup is well documented on their site http://docs.mongodb.org/manual/. 
--- a/README.turnserver
+++ b/README.turnserver
@ -118,6 +118,10 @@ User database settings:
 		Also, see http://www.mysql.org or http://mariadb.org 
 		for full MySQL documentation.
 		
+		Optional connection string parameters for the secure communications (SSL): 
+		ca, capath, cert, key, cipher 
+		(see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description).
+		
 -J, --mongo-userdb	User database connection string for MongoDB. 
 		This database can be used for long-term and short-term 
 		credentials mechanisms, and it can store the secret value 
--- a/2
+++ b/2
@ -102,6 +102,8 @@ compatibility.
 43) MongoDB support added.

 44) Double (dual) allocation added (SSODA draft).
+
+45) Secure MySQL connection implemented.
 
 Things to be implemented in future (the development roadmap) 
 are described in the TODO file.
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -263,7 +263,12 @@
 # MySQL database connection string in the case that we are using MySQL
 # as the user database.
 # This database can be used for long-term and short-term credential mechanisms
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+#
+# Optional connection string parameters for the secure communications (SSL): 
+# ca, capath, cert, key, cipher 
+# (see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description).
+#
 # Use string format as below (space separated parameters, all optional):
 #
 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds>"
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 August 2014" "" ""
+.TH TURN 1 "15 August 2014" "" ""
 .SH GENERAL INFORMATION

 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 August 2014" "" ""
+.TH TURN 1 "15 August 2014" "" ""
 .SH GENERAL INFORMATION

 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@ -175,6 +175,10 @@ See the INSTALL file for more explanations and examples.
 .PP
 Also, see http://www.mysql.org or http://mariadb.org 
 for full MySQL documentation.
+.PP
+Optional connection string parameters for the secure communications (SSL): 
+ca, capath, cert, key, cipher 
+(see http://dev.mysql.com/doc/refman/5.0/en/mysql\-ssl\-set.html for the description).
 .RE
 .TP
 .B
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 August 2014" "" ""
+.TH TURN 1 "15 August 2014" "" ""
 .SH GENERAL INFORMATION

 A set of turnutils_* programs provides some utility functionality to be used
--- a/src/apps/relay/dbdrivers/dbd_mysql.c
+++ b/src/apps/relay/dbdrivers/dbd_mysql.c
@ -46,6 +46,13 @@ struct _Myconninfo {
 	char *password;
 	unsigned int port;
 	unsigned int connect_timeout;
+	/* SSL ==>> */
+	char *key;
+	char *ca;
+	char *cert;
+	char *capath;
+	char *cipher;
+	/* <<== SSL : see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html */
 };

 typedef struct _Myconninfo Myconninfo;
@ -56,6 +63,11 @@ static void MyconninfoFree(Myconninfo *co) {
 		if(co->dbname) turn_free(co->dbname, strlen(co->dbname)+1);
 		if(co->user) turn_free(co->user, strlen(co->user)+1);
 		if(co->password) turn_free(co->password, strlen(co->password)+1);
+		if(co->key) turn_free(co->key, strlen(co->key)+1);
+		if(co->ca) turn_free(co->ca, strlen(co->ca)+1);
+		if(co->cert) turn_free(co->cert, strlen(co->cert)+1);
+		if(co->capath) turn_free(co->capath, strlen(co->capath)+1);
+		if(co->cipher) turn_free(co->cipher, strlen(co->cipher)+1);
 		ns_bzero(co,sizeof(Myconninfo));
 	}
 }
@ -127,6 +139,26 @@ static Myconninfo *MyconninfoParse(char *userdb, char **errmsg) {
 				co->connect_timeout = (unsigned int)atoi(seq+1);
 			else if(!strcmp(s,"timeout"))
 				co->connect_timeout = (unsigned int)atoi(seq+1);
+			else if(!strcmp(s,"key"))
+				co->key = strdup(seq+1);
+			else if(!strcmp(s,"ssl-key"))
+				co->key = strdup(seq+1);
+			else if(!strcmp(s,"ca"))
+				co->ca = strdup(seq+1);
+			else if(!strcmp(s,"ssl-ca"))
+				co->ca = strdup(seq+1);
+			else if(!strcmp(s,"capath"))
+				co->capath = strdup(seq+1);
+			else if(!strcmp(s,"ssl-capath"))
+				co->capath = strdup(seq+1);
+			else if(!strcmp(s,"cert"))
+				co->cert = strdup(seq+1);
+			else if(!strcmp(s,"ssl-cert"))
+				co->cert = strdup(seq+1);
+			else if(!strcmp(s,"cipher"))
+				co->cipher = strdup(seq+1);
+			else if(!strcmp(s,"ssl-cipher"))
+				co->cipher = strdup(seq+1);
 			else {
 				MyconninfoFree(co);
 				co = NULL;
@ -192,6 +224,9 @@ static MYSQL *get_mydb_connection(void) {
 			} else {
 				if(co->connect_timeout)
 					mysql_options(mydbconnection,MYSQL_OPT_CONNECT_TIMEOUT,&(co->connect_timeout));
+				if(co->ca || co->capath || co->cert || co->cipher || co->key) {
+					mysql_ssl_set(mydbconnection, co->key, co->cert, co->ca, co->capath, co->cipher);
+				}
 				MYSQL *conn = mysql_real_connect(mydbconnection, co->host, co->user, co->password, co->dbname, co->port, NULL, CLIENT_IGNORE_SIGPIPE);
 				if(!conn) {
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot open MySQL DB connection: <%s>, runtime error\n",pud->userdb);
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -425,8 +425,11 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "	                                	This database can be used for long-term and short-term credentials mechanisms,\n"
 "		                                and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
 "						The connection string my be space-separated list of parameters:\n"
-"	        	          		\"host=<ip-addr> dbname=<database-name> user=<database-user> \\\n								password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n"
-"	        	          		All parameters are optional.\n"
+"	        	          		\"host=<ip-addr> dbname=<database-name> user=<database-user> \\\n								password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n\n"
+"						The connection string parameters for the secure communications (SSL):\n"
+"						ca, capath, cert, key, cipher\n"
+"						(see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description).\n\n"
+"	        	          		All connection-string parameters are optional.\n\n"
 #endif
 #if !defined(TURN_NO_MONGO)
 " -J, --mongo-userdb	<connection-string>	MongoDB connection string, if used (default - empty, no MongoDB used).\n"
@ -438,8 +441,8 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "	                                	This database can be used for long-term and short-term credentials mechanisms,\n"
 "		                                and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
 "						The connection string my be space-separated list of parameters:\n"
-"	        	          		\"host=<ip-addr> dbname=<db-number> \\\n								password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n"
-"	        	          		All parameters are optional.\n"
+"	        	          		\"host=<ip-addr> dbname=<db-number> \\\n								password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n\n"
+"	        	          		All connection-string parameters are optional.\n\n"
 " -O, --redis-statsdb	<connection-string>	Redis status and statistics database connection string, if used \n"
 "						(default - empty, no Redis stats DB used).\n"
 "	                                	This database keeps allocations status information, and it can be also used for publishing\n"