Enable mysql TLS cert verification

[data-sync-user]

We can potentially add an extra layer of protection to the mysql TLS connection by enabling cert verification, via the ssl-mode of VERIFY_CA or VERIFY_IDENTITY. We may need to also point the client library to a ca/cert file bundle.

The new diesel supports configuration of ssl_mode ~~but not the ca/cert configuration options~~ (EDIT: it does support the ca option). It’s possible that all of this could be configured via a my.cnf read by libmysqlclient (the docs seem to claim this happens however I’ll note mariadb’s libmysqlclient did not do this, only its mysql cli command did).

┆Issue is synchronized with this Jira Task

[data-sync-user]

➤ Philip Jenvey commented:

I don’t see mysql’s libmysqlclient reading any cnf files, similar to mariadb’s, despite mysql_options suggesting ( https://dev.mysql.com/doc/c-api/5.6/en/mysql-options.html ) it would “Read options from the named option file instead of from my.cnf.” when setting a MYSQL_READ_DEFAULT_FILE option.

Anyway, per AWS docs ( https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-ssl-connections.html#MySQL.Concepts.SSLSupport ), we will only need the ssl_mode and ssl_ca options to enable this. These are both available in diesel 2.0.

I was able to apply the ssl_mode patch ( https://github.com/diesel-rs/diesel/issues/786 ) on top of our currently used diesel 1.4.8 without too much trouble. Its ssl_ca patch ( https://github.com/diesel-rs/diesel/pull/3049 ) looks like it could also be applied similarly.

So to enable cert verification we either need to upgrade to diesel 2.0 or if needed more quickly than that, temporarily roll our own 1.4.8 fork.

[data-sync-user]

➤ Philip Jenvey commented:

My fork: https://github.com/pjenvey/diesel/tree/v1.4.8-mysql-ssl-support ( https://github.com/pjenvey/diesel/tree/v1.4.8-mysql-ssl-support|smart-link )