node-mysql2 icon indicating copy to clipboard operation
node-mysql2 copied to clipboard

Published 20 hours ago verified publisher icon sidorares

Allow SSL certificate file configuration options

Open Ionaru opened this issue 5 years ago • 11 comments

Currently the ssl config option requires a string of the contents of the certificate files. My goal is to use environment variables to establish my database connection (through TypeORM, see https://github.com/typeorm/typeorm/issues/6307).

Unfortunately having the entire contents of the certificates in an environment variable is not feasible because this is thousands of characters.

My feature request: The ability to give a path to the certificate instead of the certificate contents.

This can be either a new key like caFile, or a check on the key if the path resolves to a file or not. For ca, cert and key.

Ionaru avatar Sep 23 '20 13:09 Ionaru

can you explain why something like passing ssl: { ca: require('fs').readFileSync(process.env.MYSQL_CA_FILE) } won't work for you?

sidorares avatar Sep 23 '20 13:09 sidorares

Because I am using pure environment variables for my database configuration. TypeORM reads this either from a .env file or from the environment directly and passes this to Mysql. I cannot add code to this.

It looks like this:

TYPEORM_CONNECTION=mysql
TYPEORM_HOST=db-host.example.com
TYPEORM_DRIVER_EXTRA='{"ssl":{"ca":"...","cert":"...","key":"...","rejectUnauthorized":true}}'

Ionaru avatar Sep 23 '20 14:09 Ionaru

I see

we could allow something like

TYPEORM_DRIVER_EXTRA='{"sslConfigPath": "./myConfig.json"}'

sidorares avatar Sep 23 '20 14:09 sidorares

What would that myConfig.json file contain?

Ionaru avatar Sep 23 '20 15:09 Ionaru

same object that is passed to ssl - { ca, cert, ciphers, key, passphrase, minVersion, rejectUnauthorized }

sidorares avatar Sep 23 '20 23:09 sidorares

That would not have my preference because it requires me to do some kind of processing/script steps to inject the certificate contents into myConfig.json. The certificates are not part of the repository for obvious reasons and are copied into the docker container during a build step. In my opinion adding another step to write the contents so a json file is unnecessarily complex.

Since in your solution the myConfig.json needs to be read by the fs module, what is the objection to reading the certificates directly through additional configuration keys?

Something like this in the startTLS function (connection.js file):

if (this.config.ssl.caFile) {
    this.config.ssl.ca = fs.readFileSync(this.config.ssl.caFile).toString();
}

Ionaru avatar Sep 24 '20 13:09 Ionaru

Why not just fully abstract adding the CA into your Node.js process altogether? For example, during your Docker build, have it set the environment variable NODE_EXTRA_CA_CERTS to the path of the certificates that were copied in? https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file

dougwilson avatar Sep 24 '20 13:09 dougwilson

That works for the CA file, but not the Client certificate file and Client key file used by MySQL SSL connections.

Ionaru avatar Sep 24 '20 14:09 Ionaru

Ah, you are using mutual SSL, apologies. Mutual SSL is certainly not required by MySQL and you can use SSL without it using the traditional authentication modules, so I didn't realize that is what you were trying to achieve.

dougwilson avatar Sep 24 '20 14:09 dougwilson

Since in your solution the myConfig.json needs to be read by the fs module, what is the objection to reading the certificates directly through additional configuration keys?

No big objection, I'm just trying to minimise surface API area, if there is a generic solution that would work for all cases I'd prefer it over adding multiple ca / caFile config key alternatives

sidorares avatar Sep 25 '20 02:09 sidorares

Or use readFileSync to read the content by determining if the ca key is a file path?

Mini256 avatar Jul 20 '23 08:07 Mini256