NEW Added MySQL SSL PDO Support (fixes #7077)

[johndalangin]

Modified ConfigureFromEnv.php to parse SS_DATABASE_SSL variables (also added a bit of documentation)
Modified PDOConnector.php to implement variables set in ConfigureFromEnv if exists
Modified install files MySQLDatabaseConfigurationHelper and install.php5 to accept and implement SS_DATABASE_SSL variables set in _ss_environment.php

TODO: Add documentation

[johndalangin]

@dhensby fixes #7077

Thank you.

[dhensby]

Looks good - only thing I'm concerned about is tight coupling to MySQL

[dhensby]

Is this only for MySQL using PDO or do all PDO drivers support this?

[johndalangin]

For now it's only for MySQL using PDO.

[dhensby]

I'd like @tractorcow's thoughts, again

[johndalangin]

@tractorcow @dhensby Thank you for your prompt response. I checked the contents of /model/connect and it seems that the only 2 DB connectors included by default are MySQLi and MySQLPDO.

I've taken a look at the MySQLi documentation and it seems that there might be a way to implement SSL via the mysqli::ssl_set directive. (http://php.net/manual/en/mysqli.ssl-set.php). I can create another issue and work on this as well.

I don't have any experience working with PostgreSQL or MSSQL with Silverstripe so it might take me a while to get working on an implementation. Maybe we can indicate in the documentation that SSL is only supported on MySQL via MySQLi and PDOMySQL in the mean time so we can push this forward and worry about tight coupling later? I can work on the documentation as well.

Let me know your thoughts.

Thank you.

[tractorcow]

My feeling is that perhaps we should set these for all connectors, and we allow classes that support these options to configure them internally. Otherwise, $databaseConfig will keep these values but will be ignored by unsupported backends.

As it stands I wouldn't be able to support a custom connector with SSL.

[johndalangin]

Understood. The reason why I encapsulated setting the SSL variables to PDO is because I feared I would break something with the other databases. If the setting the variables will be innocuous for other database, I can remove the condition.

[tractorcow]

Instead of setting the default cipher here, let's leave it up to the DB connection to choose it's own default.

[johndalangin]

Noted.

[tractorcow]

Also here, let's leave it blank if not defined, and let the connector choose it's own default.

[johndalangin]

Noted.

[tractorcow]

Lets make this a config rather than hard coding it.

private static $ssl_cipher_default = 'DHE-RSA-AES256-SHA';
// ...
$options[PDO::MYSQL_ATTR_SSL_CIPHER] = $parameters['ssl_cipher'] ?: $this->config()->ssl_cipher_default;

[johndalangin]

Understood.

[johndalangin]

@tractorcow I'll have the changes ready within the day. Thank you for your feedback.

[tractorcow]

That's fine @johndalangin, thanks for the great feature!

[johndalangin]

@tractorcow No worries! It's my pleasure to contribute. We've been working with Silverstripe for a couple of years now and we'd love to contribute every change we'd get.

The requested revisions have been pushed. Feel free to take a look and let me know if you have any more comments.

[tractorcow]

I'm happy. @dhensby you have any thoughts or shall we just merge it?

[johndalangin]

@tractorcow @dhensby Thanks for your feedback! I'll work on the MySQLi connector integration in a separate issue. Do you have a release schedule for the next minor version? I can work on the SSL MySQLi integration by next week but if you need it faster, I can adjust my schedule so we can release both simultaneously.

I'll also do the documentation in a separate issue which will most likely affect Security, Models and Databases, and Configuration.

Let me know if you have concerns.

[dhensby]

I'm happy