-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MySQL: Support SSL with system certificate store #8843
Comments
In which cases is this option useful / needed? I think adding this is only confusing and not needed in any case where it makes sense as an argument? The default setup if
I think only this and not doing the other option makes much more sense as the simplest solution here. Anyone who wants SSL with no validation can set For those that do want SSL validation, |
I think this is also actively harmful for security. If I see |
This part isn't needed, since the driver already uses system roots by default if nothing is specified. So no option is needed at all to use the system roots (and as mentioned above, I think it's harmful for security as it's confusing and doesn't do what the option would seem to imply). I have updated prisma/quaint#312 to include the simplest possible change, only adding the |
@pimeys Am I reading the milestones correctly that the first version to be released with this fix would be 2.31.0? |
The next one, which is either 2.31.0 or 3.x. Out hopefully on 7.9.2021. |
@pimeys Do you all do things like back porting for security fixes etc? I don't know how easy / often people usually upgrade their versions of Prisma and if a new major release would be harder to adopt? Mostly asking since I'm coming from the perspective of how to make it as easy as possible for everyone who uses PlanetScale to get the update and improvement into their deployment 😄. |
I'm probably not the best person answering to questions about back porting. We are going to follow semver much more carefully soon, and there will be some breaking changes on the next cycle that require us on going to 3.x. This is more of a product manager question, so I shared the link on Slack. |
I can speak to that: Until now we never had the need to backport anything. Now with us adopting real SemVer (we did breaking changes before, just did no follow the versioning scheme) that might become more relevant - but we do not think that is already the case with 3.x. Generally our userbase fortunately is upgrading and moving forward rather quickly and confidently (exceptions apply if we introduce new bugs or change behavior in ways that prevents special setups or configurations, but we are working hard to remove these as fast as possible - or help the users through the migration or adaptation hands-on) so these problems usually only apply to people that just forgot to upgrade or were not aware that there was a new version, and that upgrading to them is a good idea and what we always recommend to users. 3.x will be non breaking for 99% of our users, so a pretty painless upgrade. We expect the upgrade rate to not be much lower than before (besides automated tooling requiring an explicit merge from users). We will listen to our users of course, and see if our assumptions need to be updated. For now we think and hope that will not be the case and we can keep with our "always forward" strategy for some more. |
As described in #8697 there is currently no way to use a MySQL database via SSL with a certificate validation via system certificate store.
After a longer internal discussion, we concluded the following change to have the least existing user impact and still giving a great user experience for that use case:
sslcert=system
that only enables SSL, but does not set a certificate location internally. This will trigger cert validation from the system store as PlanetScale requires it. (If we ever clean up the API completely, we can easily keep this special string working.)sslaccept
to trigger SSL for MySQL as well, so just supplyingsslaccept=strict
would also work for a certificate that should be strictly enforced (vs. our default of accepting any)Both changes need to be implemented in Quaint.
This can partially build on top of https://github.com/prisma/quaint/pull/312/files (see comments).
The text was updated successfully, but these errors were encountered: