From 2bdc39390a8b57826dbf5056db0734a1cbf1338a Mon Sep 17 00:00:00 2001 From: Zach Wasserman Date: Wed, 28 Apr 2021 08:31:19 -0700 Subject: [PATCH] Fix handling of MySQL TLS flags (#689) Incorrect handling of the flags prevented users from setting up TLS connections to the MySQL server. Fixes #320 --- server/datastore/mysql/mysql.go | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/server/datastore/mysql/mysql.go b/server/datastore/mysql/mysql.go index cc3a26d6d3..7aa9a4f887 100644 --- a/server/datastore/mysql/mysql.go +++ b/server/datastore/mysql/mysql.go @@ -155,7 +155,8 @@ func New(config config.MysqlConfig, c clock.Clock, opts ...DBOption) (*Datastore config.Password = strings.TrimSpace(string(fileContents)) } - if config.TLSConfig != "" { + if config.TLSCA != "" { + config.TLSConfig = "custom" err := registerTLS(config) if err != nil { return nil, errors.Wrap(err, "register TLS config for mysql") @@ -346,15 +347,18 @@ func registerTLS(config config.MysqlConfig) error { if ok := rootCertPool.AppendCertsFromPEM(pem); !ok { return errors.New("failed to append PEM.") } - clientCert := make([]tls.Certificate, 0, 1) - certs, err := tls.LoadX509KeyPair(config.TLSCert, config.TLSKey) - if err != nil { - return errors.Wrap(err, "load mysql client cert and key") - } - clientCert = append(clientCert, certs) cfg := tls.Config{ - RootCAs: rootCertPool, - Certificates: clientCert, + RootCAs: rootCertPool, + } + if config.TLSCert != "" { + clientCert := make([]tls.Certificate, 0, 1) + certs, err := tls.LoadX509KeyPair(config.TLSCert, config.TLSKey) + if err != nil { + return errors.Wrap(err, "load mysql client cert and key") + } + clientCert = append(clientCert, certs) + + cfg.Certificates = clientCert } if config.TLSServerName != "" { cfg.ServerName = config.TLSServerName