Pull Request for #26888 (comment).
Summary of Changes
This PR fixes 2 issues mentioned in comment #26888 (comment) in Global Configuration, section Database Configuration:
- For field "Connection Encryption", change option texts for 1-way and 2-way from "... encryption" to "... authentication" so it is more clear that "1-way" and "2-way" refers to authentication.
See e.g. here for an explanation: https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/.
1-way means that only the database server is authenticated with a certificate, and 2-way means database server and client are authenticated.
- Change showon condition for the fields "Path to CA File" and "Path to CA folder" so the fields are shown in case if server certificate verification is switched on and authentication is 1-way or 2-way, and not to show them when server certificate verification is switched off.
Right now the fields are only shown if authentication is 2-way, regardless of the server certificate verification. This is wrong because the CA certificate is only used by the client to verify the server certificate.
What is not changed by this PR is that field "Path to CA folder" is not shown if database type is PostgreSQL.
Testing Instructions
Please wait with testing. I will make some changes in the next day or make a new PR.
Code review, or:
- On an installation of current 4.0-dev or last nightly build without this PR applied, go to Global Configuration, tab "Server", section "Database".
- If field "Host" has value "localhost", change it to something different, e.g. "127.0.0.1", so the fields for the database connection encryption options are shown. For the reasson of this see PR #26889 .
- Select value "One-way encryption" for field "Connection Encryption", toggle value of field "Verify Server Certificate" and watch if additional fields are displayed after changes.
Result: No additional fields are displayed after the value of field "Verify Server Certificate" has been changed.
- Select value "Two-way encryption" for field "Connection Encryption" and check which additional fields are displayed.
Result: Additional fields are displayed after the value of field "Connection Encryption" has been changed to "Two-way encryption".
- Change the database type several times so you have checked all 3 types "MySQLi", "MySQL (PDO)" and "PostgreSQL (PDO)", or at least all types which are available in your testing environment, and for each type toggle the value of field "Verify Server Certificate".
Result: When the value of field "Connection Encryption" is "Two-way encryption", fields "Path to Private Key File", "Path to Certificate File" and "Path to CA File" are shown in any case, and 2 more fields "Path to CA Folder" and "Supported Cipher Suite" are only shown for the MySQL types but not for PostreSQL (PDO), all this regardless of the value of field "Verify Server Certificate".
- Close Global Configuration without saving changes.
- Apply the patch for this PR.
- Go again to Global Configuration, tab "Server", section "Database", and change value of field "Host" to something else than "localhost", e.g. "127.0.0.1".
- Select value "One-way authentication" for field "Connection Encryption".
- Change the database type several times so you have checked all 3 types "MySQLi", "MySQL (PDO)" and "PostgreSQL (PDO)", or at least all types which are available in your testing environment, and for each type toggle the value of field "Verify Server Certificate".
Result: When field "Verify Server Certificate" has value "Yes", field "Path to CA File" is shown, and if a MySQL database type is used, also field "Path to CA Folder". When field "Verify Server Certificate" has value "No", these fields are not shown.
- Select value "Two-way authentication" for field "Connection Encryption", and repeat step 10.
Result: Additional fields "Path to Private Key File", "Path to Certificate File" and in case of a MySQL database type also field "Supported Cipher Suite" is shown. For fields "Path to CA File" and "Path to CA Folder" behavior is still the same as in step 10.
- Close Global Configuration without saving changes.
Expected result
Fields "Path to CA File" and "Path to CA Folder" are only shown if "Yes" is chosen for field "Verify Server Certificate" and field "Connection Encryption" has values "One-way authentication" or "Two-way authentication".
The texts misleading texts "One-way encryption" and "Two-way encryption" have been changed to "One-way authentication" or "Two-way authentication".
Actual result
Fields "Path to CA File" and "Path to CA Folder" are only shown if "Two-way encryption" is chosen for field "Connection Encryption", regardless of the value of field "Verify Server Certificate".
The texts "One-way encryption" and "Two-way encryption" are misleading because the connection will be encrypted with both of these values, it is authentication which is done either one or two way.
Documentation Changes Required
None as far as I know, because as far as I know there is no documentation yet for the database connection encryption option in Global Configuration.
Please wait with testing. I will make some changes in the next day or make a new PR. I'll report back here when all is ready.