AWS, MySQL and require_secure_transport

nefarious_cpu

We're migrating our systems into AWS and are required to use the MySQL require_secure_transport features for db connections. This makes TLS a requirement at the client/server level instead of per user.

How do I configure TLS in the PHP application? PDO and MySQLi have different parameters related to this. Which is in use by osTicket and in which files do I need to configure these parameters?

For example, in Wordpress, you simply need to add this to enable secure transport:
define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL );

Other code I've seen that uses MYSQLI has an object with an array item defined like:
'encrypt' => array( 'ssl_verify' => FALSE, 'ssl_capath'=>'/path/to/pem'),

PDO example of:
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,

So, where do I add these directives to osTicket and which connector method should I use?

Thank you,

ntozier

@KevinTheJedi thoughts?

KevinTheJedi

@nefarious_cpu

If you need SSL/TLS for MySQL then you need to configure the below options in your include/ost-config.php file:

https://github.com/osTicket/osTicket/blob/develop/include/ost-sampleconfig.php#L51

We utilize these options below:

https://github.com/osTicket/osTicket/blob/cb6766e5e4cdb82bb5e7d7671d41b0a476f61e0a/bootstrap.php#L187-L192

Cheers.

nefarious_cpu

So, for AWS, download the PEM certificate bundle for your region and configure these options:

define('DBSSLCA','/path/to/aws.pem');
define('DBSSLCERT','');
define('DBSSLKEY','');

That was all it took.

Thank you.