[#3927] remove ssl-mode for mysql

diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json
index 8c68c42e48bbf6094c56f5d3badd2f5cb8c7890f..5d4b48529c21a5aa093488951b6629a182df9bbd 100644 (file)
--- a/doc/examples/kea4/all-keys.json
+++ b/doc/examples/kea4/all-keys.json
@@ -509,9 +509,6 @@
                 // Private key file name.
                 "key-file": "my-key",
 
-                // SSL mode.
-                "ssl-mode": "verify-ca",
-
                 // Cipher list (see the OpenSSL ciphers command manual).
                 "cipher-list": "AES",
 
@@ -572,7 +569,10 @@
                 "cert-file": "my-cert",
 
                 // Private key file name.
-                "key-file": "my-key"
+                "key-file": "my-key",
+
+                // SSL mode.
+                "ssl-mode": "verify-ca"
             }
         ],
 

diff --git a/doc/examples/kea6/all-keys.json b/doc/examples/kea6/all-keys.json
index 2be34cf655ca1e62bcec5c809d0e8c134f6f7f8e..cc4e1a943f34aa4684d2d3abf8514e6d1b9f9bf4 100644 (file)
--- a/doc/examples/kea6/all-keys.json
+++ b/doc/examples/kea6/all-keys.json
@@ -451,9 +451,6 @@
                 // Private key file name.
                 "key-file": "my-key",
 
-                // SSL mode.
-                "ssl-mode": "verify-ca",
-
                 // Cipher list (see the OpenSSL ciphers command manual).
                 "cipher-list": "AES",
 
@@ -514,7 +511,10 @@
                 "cert-file": "my-cert",
 
                 // Private key file name.
-                "key-file": "my-key"
+                "key-file": "my-key",
+
+                // SSL mode.
+                "ssl-mode": "verify-ca"
             }
         ],
 

diff --git a/doc/sphinx/arm/database-connectivity.rst b/doc/sphinx/arm/database-connectivity.rst
index 309b72a6a14fb3187bbfd0d54c9c2b4b6ae7f0e7..7087dc0ce4d16c02af50e3a71e81386d67f4f9cc 100644 (file)
--- a/doc/sphinx/arm/database-connectivity.rst
+++ b/doc/sphinx/arm/database-connectivity.rst
@@ -92,15 +92,12 @@ configurations too.
 
 Currently the support for each database is:
 
--  MySQL supports the whole set, additional configuration must be done
-   in the MySQL local setup, for instance certificate revocation list,
-   choice of a specific TLS version, mutual authentication, etc.
+-  MySQL supports the whole set, except ``ssl-mode``, additional configuration
+   must be done in the MySQL local setup, for instance certificate revocation
+   list, choice of a specific TLS version, mutual authentication, etc.
    When a TLS connection was required but the actual connection is in
    clear text an error log is emitted.
-   The ``ssl-mode`` values correspond to the MySQL values ``DISABLED``,
-   ``PREFERRED``, ``REQUIRED``, ``VERIFY_CA`` and ``VERIFY_IDENTITY``
-   respectively.
 
--  PostgreSQL supports the whole set, additional configuration must be
-   done in the client library (libpq). Anything else must be done in the
-   PostgreSQL local configuration.
+-  PostgreSQL supports the whole set, except ``cipher-list``, additional
+   configuration must be done in the client library (libpq). Anything else must
+   be done in the PostgreSQL local configuration.

diff --git a/src/hooks/dhcp/mysql/mysql_legal_log.h b/src/hooks/dhcp/mysql/mysql_legal_log.h
index 3a60fdb70d6892fdc9c3ebeca0551a4b6a3d3431..1cc01ba1cd1bf5f770b1747f722ee01a251d7178 100644 (file)
--- a/src/hooks/dhcp/mysql/mysql_legal_log.h
+++ b/src/hooks/dhcp/mysql/mysql_legal_log.h
@@ -97,7 +97,6 @@ public:
     ///       - trust-anchor
     ///       - cert-file
     ///       - key-file
-    ///       - ssl-mode
     ///       - cipher-list (MySQL only)
     ///       - reconnect-wait-time
     ///       - max-reconnect-tries

diff --git a/src/hooks/dhcp/pgsql/pgsql_legal_log.h b/src/hooks/dhcp/pgsql/pgsql_legal_log.h
index ffbd876c273f22f4088d16a4236202e18b5eefc1..d5b2183bb006d58588bbd664dabb988d7ff73308 100644 (file)
--- a/src/hooks/dhcp/pgsql/pgsql_legal_log.h
+++ b/src/hooks/dhcp/pgsql/pgsql_legal_log.h
@@ -96,7 +96,7 @@ public:
     ///       - trust-anchor
     ///       - cert-file
     ///       - key-file
-    ///       - ssl-mode
+    ///       - ssl-mode (PostgreSQL only)
     ///       - reconnect-wait-time
     ///       - max-reconnect-tries
     ///       - on-fail

diff --git a/src/lib/dhcpsrv/legal_log_mgr.h b/src/lib/dhcpsrv/legal_log_mgr.h
index 96b6823fa53be9496b214b6301bd342d275e3524..17314f574b7e161cd5e71d59d99efc828f65a41b 100644 (file)
--- a/src/lib/dhcpsrv/legal_log_mgr.h
+++ b/src/lib/dhcpsrv/legal_log_mgr.h
@@ -105,7 +105,7 @@ public:
     ///       - trust-anchor
     ///       - cert-file
     ///       - key-file
-    ///       - ssl-mode
+    ///       - ssl-mode (PostgreSQL only)
     ///       - cipher-list (MySQL only)
     ///       - reconnect-wait-time
     ///       - max-reconnect-tries
@@ -137,7 +137,7 @@ public:
     ///       - trust-anchor
     ///       - cert-file
     ///       - key-file
-    ///       - ssl-mode
+    ///       - ssl-mode (PostgreSQL only)
     ///       - cipher-list (MySQL only)
     ///       - reconnect-wait-time
     ///       - max-reconnect-tries

diff --git a/src/lib/mysql/mysql_connection.cc b/src/lib/mysql/mysql_connection.cc
index 8d4667183ed4190226fd097e18879b40ce66e3f0..ba7006d64d88827e0ed292a61d6fd0eed4e0505d 100644 (file)
--- a/src/lib/mysql/mysql_connection.cc
+++ b/src/lib/mysql/mysql_connection.cc
@@ -131,15 +131,6 @@ MySqlConnection::openDatabase() {
         isc_throw(DbInvalidTimeout, ex.what());
     }
 
-    int ssl_mode(SSL_MODE_PREFERRED);
-    string ssslmode;
-    try {
-        ssslmode = getParameter("ssl-mode");
-        tls_ = true;
-    } catch (...) {
-        // No strict ssl mode
-    }
-
     const char* ca_file(0);
     const char* ca_dir(0);
     string sca;
@@ -151,9 +142,6 @@ MySqlConnection::openDatabase() {
         } else {
             ca_file = sca.c_str();
         }
-        if (ssslmode.empty()) {
-            ssslmode = "verify-ca";
-        }
     } catch (...) {
         // No trust anchor
     }
@@ -279,27 +267,6 @@ MySqlConnection::openDatabase() {
         if (result != 0) {
             isc_throw(DbOpenError, "unable to set cipher: " << mysql_error(mysql_));
         }
-
-        if (ssslmode.empty()) {
-            ssslmode = "require";
-        }
-    }
-
-    if (ssslmode == "disable") {
-        ssl_mode = SSL_MODE_DISABLED;
-    } else if (ssslmode == "prefer") {
-        ssl_mode = SSL_MODE_PREFERRED;
-    } else if (ssslmode == "require") {
-        ssl_mode = SSL_MODE_REQUIRED;
-    } else if (ssslmode == "verify-ca") {
-        ssl_mode = SSL_MODE_VERIFY_CA;
-    } else if (ssslmode == "verify-full") {
-        ssl_mode = SSL_MODE_VERIFY_IDENTITY;
-    }
-
-    result = mysql_options(mysql_, MYSQL_OPT_SSL_MODE, &ssl_mode);
-    if (result != 0) {
-        isc_throw(DbOpenError, "unable to set SSL mode: " << mysql_error(mysql_));
     }
 
     // Open the database.
@@ -526,7 +493,7 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) {
     vector<string> result{"mysql"};
     for (auto const& p : params) {
         string const& keyword(p.first);
-        string value(p.second);
+        string const& value(p.second);
 
         // These Kea parameters are the same as the kea-admin parameters.
         if (keyword == "user" ||
@@ -539,20 +506,6 @@ MySqlConnection::toKeaAdminParameters(ParameterMap const& params) {
             continue;
         }
 
-        if (keyword == "ssl-mode") {
-            if (value == "disable") {
-                value = "DISABLED";
-            } else if (value == "prefer") {
-                value = "PREFERRED";
-            } else if (value == "require") {
-                value = "REQUIRED";
-            } else if (value == "verify-ca") {
-                value = "VERIFY_CA";
-            } else if (value == "verify-full") {
-                value = "VERIFY_IDENTITY";
-            }
-        }
-
         // These Kea parameters do not have a direct kea-admin equivalent.
         // But they do have a mariadb client flag equivalent.
         // We pass them to kea-admin using the --extra flag.