grafana/pkg/services/sqlstore/tls_mysql.go

package sqlstore

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
)

func makeCert(tlsPoolName string, config MySQLConfig) (*tls.Config, error) {
	rootCertPool := x509.NewCertPool()
	pem, err := ioutil.ReadFile(config.CaCertPath)
	if err != nil {
		return nil, fmt.Errorf("Could not read DB CA Cert path: %v", config.CaCertPath)
	}
	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
		return nil, err
	}
	clientCert := make([]tls.Certificate, 0, 1)
	if (config.ClientCertPath != "" && config.ClientKeyPath != "") {

		certs, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
		if err != nil {
			return nil, err
		}
		clientCert = append(clientCert, certs)
	}
	tlsConfig := &tls.Config{
		RootCAs:      rootCertPool,
		Certificates: clientCert,
	}
	tlsConfig.ServerName = config.ServerCertName
	if config.SslMode == "skip-verify" {
		tlsConfig.InsecureSkipVerify = true
	}
	// Return more meaningful error before it is too late
	if config.ServerCertName == "" && !tlsConfig.InsecureSkipVerify{
		return nil, fmt.Errorf("server_cert_name is missing. Consider using ssl_mode = skip-verify.")
	}
	return tlsConfig, nil
}
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`package sqlstore`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"fmt"`
			`"io/ioutil"`
			`)`

			`func makeCert(tlsPoolName string, config MySQLConfig) (*tls.Config, error) {`
			`rootCertPool := x509.NewCertPool()`
			`pem, err := ioutil.ReadFile(config.CaCertPath)`
			`if err != nil {`
			`return nil, fmt.Errorf("Could not read DB CA Cert path: %v", config.CaCertPath)`
			`}`
			`if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {`
			`return nil, err`
			`}`
			`clientCert := make([]tls.Certificate, 0, 1)`
			`if (config.ClientCertPath != "" && config.ClientKeyPath != "") {`

			`certs, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)`
			`if err != nil {`
			`return nil, err`
			`}`
			`clientCert = append(clientCert, certs)`
			`}`
			`tlsConfig := &tls.Config{`
			`RootCAs: rootCertPool,`
			`Certificates: clientCert,`
			`}`
			`tlsConfig.ServerName = config.ServerCertName`
			`if config.SslMode == "skip-verify" {`
			`tlsConfig.InsecureSkipVerify = true`
			`}`
			`// Return more meaningful error before it is too late`
			`if config.ServerCertName == "" && !tlsConfig.InsecureSkipVerify{`
			`return nil, fmt.Errorf("server_cert_name is missing. Consider using ssl_mode = skip-verify.")`
			`}`
			`return tlsConfig, nil`
			`}`