From cd55441e4e59f8dfe89d6642322cb113948f513d Mon Sep 17 00:00:00 2001 From: games647 Date: Thu, 23 Sep 2021 14:55:23 +0200 Subject: [PATCH] Allow configuring SSL requirements for MySQL instances Fixes #433 --- .../fastlogin/core/shared/FastLoginCore.java | 6 +++++ .../fastlogin/core/storage/MySQLStorage.java | 23 +++++++++++-------- core/src/main/resources/config.yml | 14 +++++++++-- 3 files changed, 31 insertions(+), 12 deletions(-) diff --git a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java index a5dfd05d..27ef947b 100644 --- a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java +++ b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java @@ -211,6 +211,12 @@ public class FastLoginCore

> { int port = config.get("port", 3306); boolean useSSL = config.get("useSSL", false); + if (useSSL) { + databaseConfig.addDataSourceProperty("allowPublicKeyRetrieval", config.getBoolean("allowPublicKeyRetrieval", false)); + databaseConfig.addDataSourceProperty("serverRSAPublicKeyFile", config.getString("ServerRSAPublicKeyFile")); + databaseConfig.addDataSourceProperty("sslMode", config.getString("sslMode", "Required")); + } + databaseConfig.setUsername(config.get("username", "")); databaseConfig.setPassword(config.getString("password")); storage = new MySQLStorage(this, host, port, database, databaseConfig, useSSL); diff --git a/core/src/main/java/com/github/games647/fastlogin/core/storage/MySQLStorage.java b/core/src/main/java/com/github/games647/fastlogin/core/storage/MySQLStorage.java index ce22d79f..b9b513a2 100644 --- a/core/src/main/java/com/github/games647/fastlogin/core/storage/MySQLStorage.java +++ b/core/src/main/java/com/github/games647/fastlogin/core/storage/MySQLStorage.java @@ -3,30 +3,35 @@ package com.github.games647.fastlogin.core.storage; import com.github.games647.fastlogin.core.shared.FastLoginCore; import com.zaxxer.hikari.HikariConfig; +import java.util.Map; + public class MySQLStorage extends SQLStorage { - public MySQLStorage(FastLoginCore core, String host, int port, String database, HikariConfig config, boolean useSSL) { + public MySQLStorage(FastLoginCore core, String host, int port, String database, HikariConfig config, + Map sslOptions) { super(core, "mysql://" + host + ':' + port + '/' + database, - setParams(config, useSSL)); + setParams(config, sslOptions)); } - private static HikariConfig setParams(HikariConfig config, boolean useSSL) { + private static HikariConfig setParams(HikariConfig config, Map sslOptions) { + boolean useSSL = (boolean) sslOptions.get("useSSL"); + // Require SSL on the server if requested in config - this will also verify certificate // Those values are deprecated in favor of sslMode config.addDataSourceProperty("useSSL", useSSL); config.addDataSourceProperty("requireSSL", useSSL); - if (useSSL) { - // require encrypted if possible - config.addDataSourceProperty("sslMode", "VerifyFull"); - } - // adding paranoid hides hostname, username, version and so // could be useful for hiding server details config.addDataSourceProperty("paranoid", true); // enable MySQL specific optimizations + addPerformanceProperties(config); + return config; + } + + private static void addPerformanceProperties(HikariConfig config) { // disabled by default - will return the same prepared statement instance config.addDataSourceProperty("cachePrepStmts", true); // default prepStmtCacheSize 25 - amount of cached statements @@ -55,7 +60,5 @@ public class MySQLStorage extends SQLStorage { // performance gems presentation // In our case it can be useful to see the time in error messages // config.addDataSourceProperty("maintainTimeStats", false); - - return config; } } diff --git a/core/src/main/resources/config.yml b/core/src/main/resources/config.yml index 4c89a7c4..d7cbc502 100644 --- a/core/src/main/resources/config.yml +++ b/core/src/main/resources/config.yml @@ -264,9 +264,19 @@ database: '{pluginDir}/FastLogin.db' #timeout: 30 #lifetime: 30 -# It's strongly recommended to enable SSL and setup a SSL certificate if the MySQL server isn't running on the same -# machine +## It's recommended to enable SSL if the MySQL server isn't running on the same host +## This will encrypt the connection for secure transportation of the sql server password #useSSL: false +## Verification requirements for the server cert, +## Values: Required (unchecked SSL connection), VerifyCA (verify CA), VerifyFull (verify CA and matching hostname) +#sslMode=Required +## TLS is preferred for this technique, then your host stored certificate store will be used to verify the server cert +## Similar to HTTPS. If that's not possible RSA can be used with the following options. +## This allows to request the public RSA key from the server to encrypt the data to it. True would allow machine-in-the- +## middle attacks. +#allowPublicKeyRetrieval=false +## Path to the RSA public key if key retrieval is forbidden +#ServerRSAPublicKeyFile= # HTTP proxies for connecting to the Mojang servers in order to check if the username of a player is premium. # This is a workaround to prevent rate-limiting by Mojang. These proxies will only be used once your server hit