From c28ec9c260752d7b78f2e876b0ceabcf602c8266 Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Thu, 10 Jul 2025 17:04:19 +0200 Subject: [PATCH] [#4005] Added doc and ChangeLog entry --- .../3927-add-tls-settings-to-pqconnectdb | 5 +++++ doc/devel/unit-tests.dox | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 changelog_unreleased/3927-add-tls-settings-to-pqconnectdb diff --git a/changelog_unreleased/3927-add-tls-settings-to-pqconnectdb b/changelog_unreleased/3927-add-tls-settings-to-pqconnectdb new file mode 100644 index 0000000000..badd5f0c14 --- /dev/null +++ b/changelog_unreleased/3927-add-tls-settings-to-pqconnectdb @@ -0,0 +1,5 @@ +[func] razvan + Added SSL/TLS support for PostgreSQL database connection in + the Kea configuration. Available parameters are: + "trust-anchor", "cert-file", "key-file" and "ssl-mode". + (Gitlab #3927) diff --git a/doc/devel/unit-tests.dox b/doc/devel/unit-tests.dox index ee86a28b72..c02a6c32d6 100644 --- a/doc/devel/unit-tests.dox +++ b/doc/devel/unit-tests.dox @@ -65,6 +65,11 @@ The following environment variable can affect the unit tests: the environment of the unit test process is updated so usually this variable is manually set only in order to enforce a particular status. +- KEA_PGSQL_HAVE_SSL - Specifies the SSL/TLS support status of PostgreSQL. + When not set the corresponding PostgreSQL global variable is read and + the environment of the unit test process is updated so usually this + variable is manually set only in order to enforce a particular status. + - KEA_PIDFILE_DIR - Specifies the directory which should be used for PID files as used by dhcp::Daemon or its derivatives. If not specified, the default is prefix/var/run/kea, where prefix defaults to @@ -228,6 +233,13 @@ mysql> SHOW GLOBAL VARIABLES LIKE 'have_ssl'; The value of this MySQL global variable is reflected by the KEA_MYSQL_HAVE_SSL environment variable. +Recent versions of Community MySQL does not support this global variable. +SSL/TLS support detection was extended to use status using: + +@verbatim +mysql> SHOW STATUS LIKE 'ssl_cipher'; +@endverbatim + The keatest_secure user requires X509 so a client certificate. Of course in production a stricter requirement should be used, in particular when a client certificate should be bound to a particular user. -- 2.39.5