Add TLS Support for database connectivity (#334)

Author: UFOSmuggler

core/files/entrypoint.sh

@@ -13,6 +13,10 @@ export MYSQL_USER=${MYSQL_USER:-misp}
 export MYSQL_PASSWORD=${MYSQL_PASSWORD:-example}
 export MYSQL_DATABASE=${MYSQL_DATABASE:-misp}
 export MYSQL_CMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
+export MYSQL_TLS=${MYSQL_TLS:-false}
+export MYSQL_TLS_CA=${MYSQL_TLS_CA}
+export MYSQL_TLS_CERT=${MYSQL_TLS_CERT}
+export MYSQL_TLS_KEY=${MYSQL_TLS_KEY}
 export REDIS_HOST=${REDIS_HOST:-redis}
 export REDIS_PORT=${REDIS_PORT:-6379}
 export ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}

core/files/entrypoint_nginx.sh

@@ -8,6 +8,50 @@ term_proc() {
 
 trap term_proc SIGTERM
 
+update_database_tls_config() {
+    local key="$1"
+    local value="$2"
+    local config_file="$3"
+    local enable="$4"
+
+    [[ -z "$key" || -z "$config_file" ]] && { echo "key/config_file required"; return 1; }
+    [[ ! -f "$config_file" ]] && { echo "Config file not found: $config_file"; return 1; }
+
+    if [[ "$enable" == true && -z "$value" ]]; then
+        #echo "Not setting $key as value is empty..."
+        return 0
+    fi
+
+    if [[ "$enable" == true && "$key" =~ ^(ssl_ca|ssl_cert|ssl_key)$ ]]; then
+        if [[ ! -f "$value" ]]; then
+            echo "Cannot configure TLS key $key: file $value does not exist..."
+            return 1
+        fi
+    fi
+
+    local tmp
+    tmp="$(mktemp)"
+
+    if [[ "$enable" == true ]]; then
+        if grep -qE "^[[:space:]]*'${key}'[[:space:]]*=>" "$config_file"; then
+            sed -E "s@^([[:space:]]*'${key}'[[:space:]]*=>)[^,]*,@\1 '${value}',@g" \
+              "$config_file" > "$tmp"
+        else
+            sed -E "/public[[:space:]]+\\\$default[[:space:]]*=[[:space:]]*\\[/a\\
+        '${key}' => '${value}'," \
+              "$config_file" > "$tmp"
+        fi
+    else
+        sed -E "/^[[:space:]]*'${key}'[[:space:]]*=>/d" \
+          "$config_file" > "$tmp"
+    fi
+
+    if [[ -s "$tmp" ]]; then
+        cat "$tmp" > "$config_file"
+    fi
+    rm -f "$tmp"
+}
+
 init_mysql(){
     # Test when MySQL is ready....
     # wait for Database come ready
@@ -121,6 +165,13 @@ EOT
     sed "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
     sed "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
 
+    # Enable MySQL TLS immediately, as TLS requiring hosts like AWS RDS may banlist non-TLS connecting hosts
+    # Conversely, this is also a good spot to disable it if required
+
+    update_database_tls_config ssl_ca "$MYSQL_TLS_CA" "$MISP_APP_CONFIG_PATH/database.php" "$MYSQL_TLS"
+    update_database_tls_config ssl_cert "$MYSQL_TLS_CERT" "$MISP_APP_CONFIG_PATH/database.php" "$MYSQL_TLS"
+    update_database_tls_config ssl_key "$MYSQL_TLS_KEY" "$MISP_APP_CONFIG_PATH/database.php" "$MYSQL_TLS"
+
     echo "... initialize email.php settings"
     chmod +w $MISP_APP_CONFIG_PATH/email.php
     tee $MISP_APP_CONFIG_PATH/email.php > /dev/null <<EOT

docker-compose.yml

@@ -255,6 +255,11 @@ services:
       - "MYSQL_USER=${MYSQL_USER:-misp}"
       - "MYSQL_PASSWORD=${MYSQL_PASSWORD:-example}"
       - "MYSQL_DATABASE=${MYSQL_DATABASE:-misp}"
+      # mysql TLS settings
+      - "MYSQL_TLS=${MYSQL_TLS:-false}"
+      - "MYSQL_TLS_CA=${MYSQL_TLS_CA}"
+      - "MYSQL_TLS_CERT=${MYSQL_TLS_CERT}"
+      - "MYSQL_TLS_KEY=${MYSQL_TLS_KEY}"
       # redis settings
       - "REDIS_HOST=${REDIS_HOST:-redis}"
       - "REDIS_PORT=${REDIS_PORT:-6379}"

template.env

@@ -121,6 +121,12 @@ SYNCSERVERS_1_PULL_RULES=
 # MYSQL_ROOT_PASSWORD=
 # MYSQL_DATABASE=
 
+# optional and used to set mysql db TLS configuration
+# MYSQL_TLS=true
+# MYSQL_TLS_CA=/custom/files/tls/misp_ca.pem
+# MYSQL_TLS_CERT=/custom/files/tls/misp_cert.cert
+# MYSQL_TLS_KEY=/custom/files/tls/misp_key.key
+
 # optional and used to set redis
 # REDIS_HOST=
 # REDIS_PORT=