profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/dbussink/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Dirkjan Bussink dbussink Amsterdam Used to work on this website

brianmario/mysql2 2102

A modern, simple and very fast Mysql library for Ruby - binding to libmysql

evanphx/Gauge 24

A live status viewer for Rubinius

dbussink/jsonrpc 19

Ruby JSON RPC implementation

foeken/webrat_story_steps 18

A set of commonly used story steps that allow anyone to write rspec stories!

dbussink/geoip2_compat 15

GeoIP2 library with compatibility interface for https://github.com/mtodd/geoip

dbussink/windmill 13

Ruby API for the Windmill project

dbussink/dm-audited 7

Auditing for DataMapper::Resource objects

micheljansen/locomotive 7

Open source server/service/application monitor and deployment panel. NOTE: the repository has moved to http://github.com/nedap/locomotive

dbussink/dm-searchable 6

Very simple searching in multiple columns within a Datamapper::Resource

dbussink/do-schema 6

DataObjects Schema Reflection

Pull request review commentvitessio/vitess

Add support for TLS certification revocation list (CRL) files

 var onceByKeys = sync.Map{}  // ClientConfig returns the TLS config to use for a client to // connect to a server with the provided parameters.-func ClientConfig(mode SslMode, cert, key, ca, name string, minTLSVersion uint16) (*tls.Config, error) {+func ClientConfig(mode SslMode, cert, key, ca, crl, name string, minTLSVersion uint16) (*tls.Config, error) {

Currently, only the first PEM-encoded CRL is parsed from the file.

How hard would it be to read each PEM encoded CRL from the file so that that would provide a way to load multiple? This question is also specifically relevant combined with the other one around validating the signature of the CRL so it can be associated with the right CA then.

hkdsun

comment created time in a day

PullRequestReviewEvent

Pull request review commentvitessio/vitess

Add support for TLS certification revocation list (CRL) files

+/*+Copyright 2021 The Vitess Authors.++Licensed under the Apache License, Version 2.0 (the "License");+you may not use this file except in compliance with the License.+You may obtain a copy of the License at++    http://www.apache.org/licenses/LICENSE-2.0++Unless required by applicable law or agreed to in writing, software+distributed under the License is distributed on an "AS IS" BASIS,+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+See the License for the specific language governing permissions and+limitations under the License.+*/++package vttls++import (+	"crypto/x509"+	"crypto/x509/pkix"+	"fmt"+	"io/ioutil"+	"time"++	"vitess.io/vitess/go/vt/log"+)++type verifyPeerCertificateFunc func([][]byte, [][]*x509.Certificate) error++func certIsRevoked(cert *x509.Certificate, crl *pkix.CertificateList) bool {

Should this also validate that whoever signed cert here also has signed the CRL? See also https://pkg.go.dev/crypto/x509#Certificate.CheckCRLSignature.

hkdsun

comment created time in a day

Pull request review commentvitessio/vitess

Add support for TLS certification revocation list (CRL) files

 var onceByKeys = sync.Map{}  // ClientConfig returns the TLS config to use for a client to // connect to a server with the provided parameters.-func ClientConfig(mode SslMode, cert, key, ca, name string, minTLSVersion uint16) (*tls.Config, error) {+func ClientConfig(mode SslMode, cert, key, ca, crl, name string, minTLSVersion uint16) (*tls.Config, error) {

It's not really clear here from the signature, but the ca field here supports a list of PEM encoded CA certificates as a root store with multiple certificates.

That might be confusing for the crl argument here if that only supports one CRL? What if ca contains 2 roots for validation (for example when changing the root CA, or with a larger system list), then it would not be possible to add multiple crls for each CA?

Or does this already work when multiple CRLs are PEM encoded in the given file?

hkdsun

comment created time in a day

PullRequestReviewEvent
PullRequestReviewEvent

push eventbrianmario/mysql2

Dirkjan Bussink

commit sha 1f83445c40e1159005a5d8aa03605e74deafb828

Fix rubocop offense

view details

push time in a day

pull request commentbrianmario/mysql2

Allow setting VERIFY_IDENTITY for MariaDB

@sodabrew Alright, updated things here. I was on vacation for a bit so only came back to it now :smile:.

dbussink

comment created time in a day

PullRequestReviewEvent

Pull request review commentbrianmario/mysql2

Allow setting VERIFY_IDENTITY for MariaDB

 static VALUE rb_set_ssl_mode_option(VALUE self, VALUE setting) {     rb_warn( "Your mysql client library does not support setting ssl_mode; full support comes with 5.7.11." );     return Qnil;   }-#ifdef HAVE_CONST_MYSQL_OPT_SSL_ENFORCE+#if defined(HAVE_CONST_MYSQL_OPT_SSL_VERIFY_SERVER_CERT) || defined(HAVE_CONST_MYSQL_OPT_SSL_ENFORCE)   GET_CLIENT(self);   int val = NUM2INT( setting );-  // Either MySQL 5.7.3 - 5.7.10, or Connector/C 6.1.3 - 6.1.x, or MariaDB 10.x-  if ((version >= 50703 && version < 50711) || (version >= 60103 && version < 60200) || (version >= 100000 && version < 110000)) {

I have updated the comments and also dropped the < 110000 here since there's no indication that MariaDB will change here for any future version (there's no 11.0 yet though, but I think it would likely break if they'd release such a version).

dbussink

comment created time in a day

push eventbrianmario/mysql2

Dirkjan Bussink

commit sha d136164687740f9e08fcb2b3ae8c98b7275de36d

Setup default CA path if not provided This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see https://github.com/mysql/mysql-server/pull/358 & https://bugs.mysql.com/bug.php?id=104649.

view details

Dirkjan Bussink

commit sha 6ae1d9a6aa1fa9b2d5e1ae9e3e1ef96c672c11e5

Update Rubocop todo items

view details

Gaurish Sharma

commit sha ef28e60be54d9e59d5736d873aea44562eceba09

Fix broken URL [ci skip] (#1207)

view details

Olivier Lacan

commit sha 673d5a774151721f914dfee91e0090ea0280e2b2

Dynamically set Homebrew-installed OpenSSL flag (#1204) This is a follow-up to #1135 which added the OpenSSL flag assuming that if the `RUBY_PLATFORM` is `darwin` (macOS): - Homebrew is installed - OpenSSL is installed via Homebrew This PR: - no longer assumes Homebrew is installed if we're on macOS - no longer assumes OpenSSL is installed via Homebrew - asks Homebrew for the openssl location (which will also work with the newer openssl@1.1 recipe) Should prevent issues like these when running bundle install on the rails codebase: Bundle Install error due to: ld: warning: directory not found for option '-L/usr/local/opt/openssl/lib'

view details

Aaron Stone

commit sha 9307dd9869b64b8e4e19f1a3d1286756fc14355f

Merge pull request #1206 from brianmario/dbussink/handle-default-ca-paths Setup default CA path if not provided

view details

Dirkjan Bussink

commit sha 04015bae513ce83489882cf4648e3ee58749dac3

Allow setting VERIFY_IDENTITY for MariaDB This adds support for setting the VERIFY_IDENTITY mode with MariaDB. On MariaDB, the `MYSQL_OPT_SSL_VERIFY_SERVER_CERT` option is available which is equivalent to `VERIFY_IDENTITY`. Many containers with Ruby apps are based on Debian where MariaDB is the standard provided, so this improves support there significantly.

view details

Dirkjan Bussink

commit sha bcad0e045e2e4b642befd59b2255ce98a89efb8d

Update comments around MariaDB versions Also removed the check for a potential MariaDB 11.x since there's no indication that this behavior will change in MariaDB.

view details

push time in a day

pull request commentbrianmario/mysql2

Allow setting VERIFY_IDENTITY for MariaDB

I think long-term that supporting the brief set of versions MySQL 5.7.3 - 5.7.10 should just be dropped. Unless that same pattern is actually what MariaDB needs long-term, in which case I'd like to get the comments right to guide future-us correctly when it's deprecation time!

It is what MariaDB needs long-term, they are still using those options for the latest versions so I don't think they can be removed / deprecated unless MariaDB compatibility is explicitly dropped. I'll update the comments accordingly as well.

dbussink

comment created time in a day

PullRequestReviewEvent

issue commentprisma/prisma

MySQL: Support SSL with system certificate store

The next one, which is either 2.31.0 or 3.x. Out hopefully on 7.9.2021.

@pimeys Do you all do things like back porting for security fixes etc? I don't know how easy / often people usually upgrade their versions of Prisma and if a new major release would be harder to adopt?

Mostly asking since I'm coming from the perspective of how to make it as easy as possible for everyone who uses PlanetScale to get the update and improvement into their deployment :smile:.

janpio

comment created time in 25 days

issue commentprisma/prisma

Error: P1001: Can't reach database server (PlanetScale)

@abriginets The fix for https://github.com/prisma/prisma/issues/8843 has landed so on a future upcoming release, you don't need any option for sslcert anymore and it will correctly handle the system roots for your system :smile:.

abriginets

comment created time in 25 days

issue commentprisma/prisma

MySQL: Support SSL with system certificate store

@pimeys Am I reading the milestones correctly that the first version to be released with this fix would be 2.31.0?

janpio

comment created time in 25 days

pull request commentprisma/quaint

sslaccept option implies that SSL needs to be enabled

@pimeys Thanks for getting this merged! :bow:

dbussink

comment created time in 25 days

delete branch dbussink/quaint

delete branch : sslaccept-implies-using-ssl

delete time in 25 days

push eventbrianmario/mysql2

Dirkjan Bussink

commit sha d136164687740f9e08fcb2b3ae8c98b7275de36d

Setup default CA path if not provided This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see https://github.com/mysql/mysql-server/pull/358 & https://bugs.mysql.com/bug.php?id=104649.

view details

Dirkjan Bussink

commit sha 6ae1d9a6aa1fa9b2d5e1ae9e3e1ef96c672c11e5

Update Rubocop todo items

view details

push time in 25 days

push eventbrianmario/mysql2

Dirkjan Bussink

commit sha 9a286143c1ee1a48ae1c199b259cc9cb273ece12

Update Rubocop todo items

view details

push time in 25 days

push eventbrianmario/mysql2

Dirkjan Bussink

commit sha 78a44daee26b30288790fb1266720191c4d58b6a

Setup default CA path if not provided This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see https://github.com/mysql/mysql-server/pull/358 & https://bugs.mysql.com/bug.php?id=104649.

view details

push time in 25 days

Pull request review commentbrianmario/mysql2

Setup default CA path if not provided

 def parse_flags_array(flags, initial = 0)       end     end +    # Find any default system CA paths to handle system roots+    # by default if stricter validation is requested and no+    # path is provide.+    def find_default_ca_path+      [+        "/etc/ssl/certs/ca-certificates.crt",+        "/etc/pki/tls/certs/ca-bundle.crt",+        "/etc/ssl/ca-bundle.pem",+        "/etc/ssl/cert.pem",

This list matches all common used paths as mentioned also at https://docs.planetscale.com/reference/secure-connections#ca-root-configuration.

https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L7-L14 has a somewhat similar list, but a number of those are not needed since those platforms then provide a symlink already in this list.

dbussink

comment created time in 25 days

PullRequestReviewEvent

PR opened brianmario/mysql2

Setup default CA path if not provided

This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root.

On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user.

The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided.

On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see https://github.com/mysql/mysql-server/pull/358 & https://bugs.mysql.com/bug.php?id=104649.

+20 -1

0 comment

1 changed file

pr created time in 25 days

push eventbrianmario/mysql2

Dirkjan Bussink

commit sha 33c29bfe0c57d7d13de6a9bb463fc745bb63359b

Setup default CA path if not provided This adds setup of a default CA path if there's no path provided by the user. This enables easier configuration of system level CA validation if the MySQL server has a certificate signed by a system root. On more and more cloud based MySQL platforms system signed CA certificates are used and this hides the issue of selecting the appropriate path from the user. The real longer term answer here is that this is a default that changes in libmysqlclient itself. The current situation here is mixed. When using MariaDB (including the changes in #1205), the default system roots are already loaded and used if no CA is provided. On MySQL itself on the other hand, a CA path is required today. I have also opened a PR to improve that, see https://github.com/mysql/mysql-server/pull/358 & https://bugs.mysql.com/bug.php?id=104649.

view details

push time in 25 days

create barnchbrianmario/mysql2

branch : dbussink/handle-default-ca-paths

created branch time in 25 days

pull request commentbrianmario/mysql2

Allow setting VERIFY_IDENTITY for MariaDB

@sodabrew Are you willing to also release a new version once this fix is merged together with the other improvements around MariaDB handling that already have landed?

dbussink

comment created time in 25 days

issue commentbrianmario/mysql2

Can't enable SSL with MariaDB driver library

https://github.com/brianmario/mysql2/pull/1205 also further improves MariaDB handling by allowing VERIFY_IDENTITY to map to the equivalent setting on MariaDB.

vakuum

comment created time in 25 days

pull request commentbrianmario/mysql2

Allow setting VERIFY_IDENTITY for MariaDB

I don't think the failures in CI here are related to the changes I've made.

dbussink

comment created time in 25 days

PR opened brianmario/mysql2

Allow setting VERIFY_IDENTITY for MariaDB

This adds support for setting the VERIFY_IDENTITY mode with MariaDB. On MariaDB, the MYSQL_OPT_SSL_VERIFY_SERVER_CERT option is available which is equivalent to VERIFY_IDENTITY.

Many containers with Ruby apps are based on Debian where MariaDB is the standard provided, so this improves support there significantly.

+32 -9

0 comment

2 changed files

pr created time in 25 days