Allow configuring SSL requirements for MySQL instances

Fixes #433
2025-07-29 18:27:36 +02:00 · 2021-09-23 14:55:23 +02:00
parent 17ecb186a5
commit cd55441e4e
3 changed files with 31 additions and 12 deletions
--- a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java
+++ b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java
@ -211,6 +211,12 @@ public class FastLoginCore<P extends C, C, T extends PlatformPlugin<C>> {
            int port = config.get("port", 3306);
            boolean useSSL = config.get("useSSL", false);

+            if (useSSL) {
+                databaseConfig.addDataSourceProperty("allowPublicKeyRetrieval", config.getBoolean("allowPublicKeyRetrieval", false));
+                databaseConfig.addDataSourceProperty("serverRSAPublicKeyFile", config.getString("ServerRSAPublicKeyFile"));
+                databaseConfig.addDataSourceProperty("sslMode", config.getString("sslMode", "Required"));
+            }
+
            databaseConfig.setUsername(config.get("username", ""));
            databaseConfig.setPassword(config.getString("password"));
            storage = new MySQLStorage(this, host, port, database, databaseConfig, useSSL);
--- a/core/src/main/java/com/github/games647/fastlogin/core/storage/MySQLStorage.java
+++ b/core/src/main/java/com/github/games647/fastlogin/core/storage/MySQLStorage.java
@ -3,30 +3,35 @@ package com.github.games647.fastlogin.core.storage;
 import com.github.games647.fastlogin.core.shared.FastLoginCore;
 import com.zaxxer.hikari.HikariConfig;

+import java.util.Map;
+
 public class MySQLStorage extends SQLStorage {

-    public MySQLStorage(FastLoginCore<?, ?, ?> core, String host, int port, String database, HikariConfig config, boolean useSSL) {
+    public MySQLStorage(FastLoginCore<?, ?, ?> core, String host, int port, String database, HikariConfig config,
+                        Map<String, Object> sslOptions) {
        super(core,
                "mysql://" + host + ':' + port + '/' + database,
-                setParams(config, useSSL));
+                setParams(config, sslOptions));
    }

-    private static HikariConfig setParams(HikariConfig config, boolean useSSL) {
+    private static HikariConfig setParams(HikariConfig config, Map<String, Object> sslOptions) {
+        boolean useSSL = (boolean) sslOptions.get("useSSL");
+
        // Require SSL on the server if requested in config - this will also verify certificate
        // Those values are deprecated in favor of sslMode
        config.addDataSourceProperty("useSSL", useSSL);
        config.addDataSourceProperty("requireSSL", useSSL);

-        if (useSSL) {
-            // require encrypted if possible
-            config.addDataSourceProperty("sslMode", "VerifyFull");
-        }
-
        // adding paranoid hides hostname, username, version and so
        // could be useful for hiding server details
        config.addDataSourceProperty("paranoid", true);

        // enable MySQL specific optimizations
+        addPerformanceProperties(config);
+        return config;
+    }
+
+    private static void addPerformanceProperties(HikariConfig config) {
        // disabled by default - will return the same prepared statement instance
        config.addDataSourceProperty("cachePrepStmts", true);
        // default prepStmtCacheSize 25 - amount of cached statements
@ -55,7 +60,5 @@ public class MySQLStorage extends SQLStorage {
        // performance gems presentation
        // In our case it can be useful to see the time in error messages
        // config.addDataSourceProperty("maintainTimeStats", false);
-
-        return config;
    }
 }
--- a/core/src/main/resources/config.yml
+++ b/core/src/main/resources/config.yml
@ -264,9 +264,19 @@ database: '{pluginDir}/FastLogin.db'
 #timeout: 30
 #lifetime: 30

-# It's strongly recommended to enable SSL and setup a SSL certificate if the MySQL server isn't running on the same
-# machine
+## It's recommended to enable SSL if the MySQL server isn't running on the same host
+## This will encrypt the connection for secure transportation of the sql server password
 #useSSL: false
+## Verification requirements for the server cert,
+## Values: Required (unchecked SSL connection), VerifyCA (verify CA), VerifyFull (verify CA and matching hostname)
+#sslMode=Required
+## TLS is preferred for this technique, then your host stored certificate store will be used to verify the server cert
+## Similar to HTTPS. If that's not possible RSA can be used with the following options.
+## This allows to request the public RSA key from the server to encrypt the data to it. True would allow machine-in-the-
+## middle attacks.
+#allowPublicKeyRetrieval=false
+## Path to the RSA public key if key retrieval is forbidden
+#ServerRSAPublicKeyFile=

 # HTTP proxies for connecting to the Mojang servers in order to check if the username of a player is premium.
 # This is a workaround to prevent rate-limiting by Mojang. These proxies will only be used once your server hit