mysql_adaptor: add TLS parameters

References: GXF-1774, GXF-2005

doc/mysql_adaptor.4gx

@@ -1,5 +1,5 @@
 .\" SPDX-License-Identifier: CC-BY-SA-4.0 or-later
-.\" SPDX-FileCopyrightText: 2020-2022 grommunio GmbH
+.\" SPDX-FileCopyrightText: 2020–2025 grommunio GmbH
 .TH mysql_adaptor 4gx "" "Gromox" "Gromox admin reference"
 .SH Name
 mysql_adaptor \(em MySQL/MariaDB connector for user metadata and authentication
@@ -47,6 +47,12 @@ on the MySQL connection.
 .br
 Default: \fI0\fP (no timeout)
 .TP
+\fBmysql_tls_cert\fP
+The path name of the client public key certificate file.
+.TP
+\fBmysql_tls_key\fP
+The path name of the client private key file.
+.TP
 \fBmysql_username\fP
 Default: \fIroot\fP
 .TP

exch/mysql_adaptor/sql2.cpp

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later, OR GPL-2.0-or-later WITH linking exception
-// SPDX-FileCopyrightText: 2021–2024 grommunio GmbH
+// SPDX-FileCopyrightText: 2021–2025 grommunio GmbH
 // This file is part of Gromox.
 #ifdef HAVE_CONFIG_H
 #	include "config.h"
@@ -144,6 +144,10 @@ MYSQL *mysql_plugin::sql_make_conn()
 		mysql_options(conn, MYSQL_OPT_READ_TIMEOUT, &g_parm.timeout);
 		mysql_options(conn, MYSQL_OPT_WRITE_TIMEOUT, &g_parm.timeout);
 	}
+	if (!g_parm.certfile.empty())
+		mysql_options(conn, MYSQL_OPT_SSL_CERT, g_parm.certfile.c_str());
+	if (!g_parm.keyfile.empty())
+		mysql_options(conn, MYSQL_OPT_SSL_KEY, g_parm.keyfile.c_str());
 	if (mysql_real_connect(conn, g_parm.host.c_str(), g_parm.user.c_str(),
 	    g_parm.pass.size() != 0 ? g_parm.pass.c_str() : nullptr,
 	    g_parm.dbname.c_str(), g_parm.port, nullptr, 0) == nullptr) {
@@ -526,6 +530,8 @@ static constexpr cfg_directive mysql_adaptor_cfg_defaults[] = {
 	{"mysql_password", ""},
 	{"mysql_port", "3306"},
 	{"mysql_rdwr_timeout", "0", CFG_TIME},
+	{"mysql_tls_cert", ""},
+	{"mysql_tls_key", ""},
 	{"mysql_username", "root"},
 	CFG_TABLE_END,
 };
@@ -546,6 +552,8 @@ bool mysql_plugin::reload_config(std::shared_ptr<config_file> &&cfg)
 	par.port = cfg->get_ll("mysql_port");
 	par.user = cfg->get_value("mysql_username");
 	par.pass = cfg->get_value("mysql_password");
+	par.certfile = cfg->get_value("mysql_tls_cert");
+	par.keyfile  = cfg->get_value("mysql_tls_key");
 	auto p2 = cfg->get_value("mysql_password_mode_id107");
 	if (p2 != nullptr)
 		par.pass = zstd_decompress(base64_decode(p2));

include/gromox/mysql_adaptor.hpp

@@ -43,7 +43,7 @@ enum sql_schema_upgrade : uint8_t {
 };
 
 struct mysql_adaptor_init_param {
-	std::string host, user, pass, dbname;
+	std::string host, user, pass, dbname, certfile, keyfile;
 	int port = 0, conn_num = 0, timeout = 0;
 	enum sql_schema_upgrade schema_upgrade = SSU_NOT_ENABLED;
 	bool enable_firsttimepw = false;