Connecting Drupal to MySQL Using TLS

Classic Graphics’ home office is in Charlotte, North Carolina, the headquarters of Bank of America, and a major employer for other banks like Wells Fargo and BB&T. The Raleigh area also has several bank corporate offices and is the location of Classic’s second manufacturing operation. When I joined Classic Graphics in 2007, I had no idea how much the company was going to grow or just how dependent it would be on the IT department or the modules I wrote for Drupal.

Though a major focus of growth at Classic was to become an obvious competitor for print work and marketing automation in the banking industry, Classic also grew by gaining the trust and business of several other Fortune 500 companies. A major differentiating component in that process was bringing Classic’s security standards to meet the requirements of publicly traded companies. In time, I discovered many of Classic’s customers held their vendors to tougher standards in information technology than they held themselves to.

Guardr is a Drupal distribution which grew from the needs at Classic Graphics for a uniform platform for secure web application development. The Guardr platform is a base distribution for bootstrapping new, custom applications.

Between when I joined Classic Graphics in 2007 and the release of Guardr in 2012, I spent time developing software to support enforcement of policies that Classic needed to enforce to satisfy customer security requirements.

MySQL SSL support

In 2011, webchick committed a patch to Drupal 7 that allowed PDO connections to be configurable. The benefit for security was being able to pass connection parameters to enable SSL links to a remote database server. During the Guardr distribution build, drush make patches the default settings.php file to give examples of how to configure Drupal for using SSL between PHP and a remote MySQL-based server.

settings.php

$databases['default']['default'] = array(
  'driver' => 'mysql',
  'database' => 'databasename',
  'username' => 'username',
  'password' => 'password',
  'host' => 'localhost',
  'prefix' => '',
  'pdo' => array(
    PDO::MYSQL_ATTR_SSL_KEY => '/etc/ssl/mysql/key.pem',
    PDO::MYSQL_ATTR_SSL_CERT => '/etc/ssl/mysql/cert.pem',
  ),
);

The compress attribute isn’t required, but I added it to serve as an example of how other MySQL connection attributes would be formatted.

Guardr for Drupal 6 had similar functionality, though the solution was less flexible. Users who download the 6.x distribution are probably confused to find it doesn’t connect to their normal database connection because the SSL patch to Drupal 6 forces all MySQL connections to use the SSL flag on connect. The more flexible patch to Drupal 6 core appears to be unlikely to be ever committed.

Drupal 

See also