Skip to content

Mtls app #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Sarthak160 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Mtls app #211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5d0f0ab
feat: add ssl in echo-mysql
anjupathak03 Oct 15, 2025
ea2ead7
fix: allow running app without ssl
anjupathak03 Oct 15, 2025
a39e28e
fix: golint error
anjupathak03 Oct 16, 2025
150d457
Merge branch 'main' into add-ssl-mysql
khareyash05 Nov 10, 2025
be9804e
Update echo-mysql/uss/store.go
anjupathak03 Nov 10, 2025
8490bd6
fix: set a default ssl mode
anjupathak03 Nov 10, 2025
8fa7f80
feat: implement mTLS client and server with certificate generation
Sarthak160 Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion echo-mysql/.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,6 @@ MYSQL_USER=root
MYSQL_PASSWORD=password
MYSQL_HOST=localhost
MYSQL_PORT=3306
MYSQL_DBNAME=uss
MYSQL_DBNAME=uss
MYSQL_SSL_MODE=production
MYSQL_SSL_CA=./certs/ca.pem
27 changes: 27 additions & 0 deletions echo-mysql/certs/ca-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAprQ1uus1FpFfRAKGXWOclp+Bns8WVH3l8sBRfcoMfXiAyYBH
347NEJEwN1Nb/IhS2fe/K4dIh21wLOBQGgNNnf8MCNWK02Sif8oJ60E4ZX8DzZZd
RKyrzODgDtFcfSwCkk7ZW6Aq2xRUG/K2SwgHzVJ/cAGxlCKBb/IjHPJCxv4es/kR
sb9RrdsDUqbIG0t0FXMdiinteC1lO+ao0UNrJWT6+LOfIFrV7XxJPV2lJvV1j3EL
Kbf6FvMB8bRLPP8SzI8N1AQBOlDI0tVA5w/2Q22ddEcfm2TVaFEg0+75dunSqMhf
nbsUcIjOe/hA0lmuobLfZmT/ShpWutiLkdbEIQIDAQABAoIBAAbW7zrqblDNGVpk
G6DuhrTP2cy7HKSOD06OyTEm5m0J8gfCa4B+vodi25ZzhTtG2RZgEa/+opFK4k63
C9ZLYyZ7ucHNiB78+qVRU+ea8w5IAC8Rz6UTDA/xfIPjH18z3G2mDkkx+LwpGPvW
ERhiPZa1Hy0oZqGoKkUea0YjYu3A24+ZXHz8Lf4JBFlGLgL5RaMcc3cJVSmAhS8c
SvrTmRmbeP/BAzRHO50Nb+LlWIovTXdqEqkU4FhmR13xA3Xf8mAvFI8jguUpkjHw
ZT19s0Ahp9hxan3vVLQ6iYghZc/ohSdMruyt1M90Pzfhj0M4sqzSLOqdX7V0Hmxw
lK29bWkCgYEA57gYwdwKAiBY14kOeTxzDPsFWqLuJILcJDd3Za2v6/WipgdL77LB
VQIc+wQxHqFyCUKHMS6czoNsIBJezZmUs5YroXCDHE6xPnTNsBtWyVsLA2xiuPxD
BN/J0JJV0gPVxXEV5Kx2qp72jS3ccVPHoCIkdq6CAYiBdAkU8DJ9X1kCgYEAuCwS
AGxDJc7LvdHBmcu3pyEVuSVN1OYRIE0dk+9DrDMxCR/pn4ZP1eNt+SjoOHLkPwVN
VfYm4DGPEYzZLvXWhvLwNijHHj4KQebehrPnR7+WAPncJdjtgkR00Ysd4+ICtMaC
8ExeNB5TmrRMhOKBjEz94sgpy2Vt6UUe1vouegkCgYBgx3cvoKNdd/0jKE8vO5wh
08XMsTgdb7paNgBcK0rKlnE0Pt/sYRB2XMeV345UaMGkNHEajYlYh3NlgcauwHJm
/1WBu+hGrmdA2q/92a1JtAjJiT9CW7nyEzXLMxM8//UM3cpzE8UMRhBbrsffXUqH
CzuHhiMuWMEYoaJpH+1VIQKBgCUetM4jA/Gl2Yi7szKlTbHAyFkVvLcxW7hP8qsz
aUdW1gZJyVOexY6NlUfHx+5AseJF1k2CHFnJg1V9NvTxFbkDVAkGdQOSa4zW1Hj/
35ilc71knst+CnjcBVOKn46jqfn3nMKEEeSdTCp9NoL+CDBYAD/qKgpVui5vAQVB
TYbJAoGBALykwHGsUgFxE3Oep+xgPoyv16rCnrxw6gbC9deH9aNR7KF1c1TiwRru
lotpayjCozrTGhMbDcoITrVquAQ9rS91CjLZ0xTQPWeyt97GxF1Fm0oFsx6LL9Gi
GXJM/jrOXhUeWbmJ1T2JLpbW24lLXhdMeNAgeSdJXbQrG0mwSnbN
-----END RSA PRIVATE KEY-----
19 changes: 19 additions & 0 deletions echo-mysql/certs/ca.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIUfeXxHr/bnolkh3+QK87031n++U8wDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIbXlzcWwtY2EwHhcNMjUxMDE1MDMzNjAzWhcNMzUxMDEz
MDMzNjAzWjATMREwDwYDVQQDDAhteXNxbC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKa0NbrrNRaRX0QChl1jnJafgZ7PFlR95fLAUX3KDH14gMmA
R9+OzRCRMDdTW/yIUtn3vyuHSIdtcCzgUBoDTZ3/DAjVitNkon/KCetBOGV/A82W
XUSsq8zg4A7RXH0sApJO2VugKtsUVBvytksIB81Sf3ABsZQigW/yIxzyQsb+HrP5
EbG/Ua3bA1KmyBtLdBVzHYop7XgtZTvmqNFDayVk+viznyBa1e18ST1dpSb1dY9x
Cym3+hbzAfG0Szz/EsyPDdQEATpQyNLVQOcP9kNtnXRHH5tk1WhRINPu+Xbp0qjI
X527FHCIznv4QNJZrqGy32Zk/0oaVrrYi5HWxCECAwEAAaNTMFEwHQYDVR0OBBYE
FGDWq4435H96w5xIaBLhjEaF4HGbMB8GA1UdIwQYMBaAFGDWq4435H96w5xIaBLh
jEaF4HGbMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIRys1R8
CQwTFOiJu9yyNVzZQQjlIbaY4gAXbu7t2KqRE2VrJvjxMTJH9Dp96srxYkNw1lpY
qCXYaMllohn0oVwKnfSkHG6WoKEC9PNn3dXyCR7cqu1nGJNtefZWd8HDCK88iJZH
zEtVXWb7T+5QriBE0TbzYFERB26r7lH3X1vh5YU+NGlXKguGx6dXVl3HsYxoNF7+
FyWDWQ7LaDKbgiWQ44jnpZ21hvULuqeKHCsSDzwXLcG7yurbTI7oLL3XwQ/es/ui
ditMEvAWlaRwUxTJPDsSc18G6lijS7b7jELErWmYVAFt5h+DKfxKSN3Jcb5OBDDV
O8pdCMAAYRXv008=
-----END CERTIFICATE-----
19 changes: 19 additions & 0 deletions echo-mysql/certs/openssl.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = mysql-server

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = mysql
DNS.3 = mysql-container-ssl
IP.1 = 127.0.0.1
IP.2 = ::1
20 changes: 20 additions & 0 deletions echo-mysql/certs/server-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhteXNx
bC1jYTAeFw0yNTEwMTUwMzM2MDNaFw0zNTEwMTMwMzM2MDNaMBcxFTATBgNVBAMM
DG15c3FsLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/q
54qhFgGTb8R8ntL0Y5F6SdYDKVbJIxOJzanCWJfYWdBnyGK9MW+WvvL59fzJcM3t
Dua+3ka/2HDhWKfb6dbsePzZBpjyVJ38oQfv98s/oS4gN1ZpXW9JnQSmt5nlms1d
LAXFTt8KiUxUXWRWQI4CxVuTmW5Vw1PV3nrF1/Do7Vz3sh9LrzRbUPFMKW1rr7HA
kap+yw76u10WgTiOiUnZKYgiHNyMpb5PQhAjTPh8/aYm2kbXBYPxzzH5lFGNjWzw
2iy5B3xXpM/39qAlKU7efN2X2SZhtYnv6Qog+Jmu7mIx/bX9QCwM+/VD/IKgxiBi
2MuMtoWsIZU7T7rc7ycCAwEAAaOBrzCBrDALBgNVHQ8EBAMCBDAwEwYDVR0lBAww
CgYIKwYBBQUHAwEwSAYDVR0RBEEwP4IJbG9jYWxob3N0ggVteXNxbIITbXlzcWwt
Y29udGFpbmVyLXNzbIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATAdBgNVHQ4EFgQU
mQHlaZULtFVWBoaS2sInicXX3uowHwYDVR0jBBgwFoAUYNarjjfkf3rDnEhoEuGM
RoXgcZswDQYJKoZIhvcNAQELBQADggEBAFY+mmfTkx56CNWbxzs1+zVCtzStQEy6
1TATeHG2jTtjd6uQ96jIsw+A4U0OozGbua5+pxTTWKox7ZJ+06OAJnJ/EyuWZPAD
rXwx7Up7co44Dw4+0KgGLXTGWjHW3foQXM1Xx2Y99O8AwfAAWy6ZY/GqWG8dhQ4t
d7eOY3i053aJ6e/yW2GZmIcdTn6LR6SP7JgtALE9PA/tFFxJGY+jrD3ZcZNYCcoD
1nmYkc5gE0HB5xq60hYTRM29Bxx95/W6/2HeAVxZtxF0ntcePK0ya0jZN7jowgPt
FDESBQPf8SS6cRVh3Kkhu7wjEFRE/Uj6MGtPFdda7lc3upVCcLqb/h0=
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions echo-mysql/certs/server-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA7+rniqEWAZNvxHye0vRjkXpJ1gMpVskjE4nNqcJYl9hZ0GfI
Yr0xb5a+8vn1/Mlwze0O5r7eRr/YcOFYp9vp1ux4/NkGmPJUnfyhB+/3yz+hLiA3
Vmldb0mdBKa3meWazV0sBcVO3wqJTFRdZFZAjgLFW5OZblXDU9XeesXX8OjtXPey
H0uvNFtQ8UwpbWuvscCRqn7LDvq7XRaBOI6JSdkpiCIc3Iylvk9CECNM+Hz9piba
RtcFg/HPMfmUUY2NbPDaLLkHfFekz/f2oCUpTt583ZfZJmG1ie/pCiD4ma7uYjH9
tf1ALAz79UP8gqDGIGLYy4y2hawhlTtPutzvJwIDAQABAoIBAFFUB/lucc9G83Rf
6lcIkVgXZEAwAitxM3rEE/uf7fhLVubWx47xI3j4WPJ02XY/swWbfpmpyh+hmPVq
7mq4maRJtRnBWAMw4o5LvSq7pfw4LaM9OIUKYqn/AkM5YLPCqZ9EHlA2em4RXEmL
r7z7oBaDyfMpLbHBUN1yemCUAIehRg1KR/uDHh+PXWFIt2BVq75ehrVBezczkOsp
6B59FhfZtUTO8MbOPadlrUHIPmybhifP+Vr8oxD++Hn2PxiKN4P4sJLhy+97f6H5
Rlt7SCRNb3BWCT5zUQKd7dBIFOsSJate7GSNpuMpdQKud2S7kihjxspv249MV9a+
0eYCMcECgYEA+nUUo1CLXcShlulzshoN4nQuicDeSXcuzRq5//OSswnUR/NqbJIN
3H/52RwxWLFomA7fcKUEol+LM3wzdD9S4Jv32CzJixkefufKS1E1MUtIlKu+LCIP
yh+nKA4nFDRYSPBLIaZGTGzyLsSitdY9+qpDVQBLc2lMZQbxlWGdyJ0CgYEA9Toc
48hDM/+QdnNyxw3kcC2wNZfbIYcIZzi90LqlISPnmWqh3lFUDXz7SnIViRoSD3Nw
sssk6n+MkmN3eoT8Q77PSZZDY3uRGoFJ38yo8ahxFO43CrfYbMaTDPdMhd57PEod
5bNpwMIkkjxMKiaurS3H8p80p+ExGbhXFmL4oZMCgYAKVG/geH73BBgiEEjcTKTL
9TzCI7lHUGoWvYZ0Xwhq5/ngadK23aNCt+iHItmKLe8BboOassOpKsWj/vhkUARM
DULAoMBDQ2r1kvvN9XB7Mv6wWxEB4vnBvWJ4jXThKXOGtppyrdfyaP/oG+YWF9sA
jqsuQ0/ZV7t14z5tidQnJQKBgHK8MN4mScMfdLDnDTGy/0m5JrO8jCtgqX7aHn11
hmM+EFNIf9mrxZ7V9iD7xbWy+/Y8teMBhxEsglHPtgweAoWT1hqA8qCuJNL44N6U
PAttGxOG7TvXjqw+MHklj6km0hQAPYLGcdldPI0rJxulo56lR+LtuE4/36BADocL
4XZ/AoGAVknMVdXlvureOnCxLnJPk0L9Hhk2xv/lnDOeyygZ8szaA69C4IEil6QT
FoVvSHle927lBpS/cPWD5zdaGqbiiCNkccb9LwkrIxeO1fKPyBspmzi5GBqeJyL5
Jrn0lOM1nNQOmc2inHtT7KeBrxx8PzpAyNFg/yFoTeaXj0kLJGE=
-----END RSA PRIVATE KEY-----
7 changes: 7 additions & 0 deletions echo-mysql/custom.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[mysqld]
ssl_ca=/etc/mysql/certs/ca.pem
ssl_cert=/etc/mysql/certs/server-cert.pem
ssl_key=/etc/mysql/certs/server-key.pem
require_secure_transport=ON
ssl_cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
tls_ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
14 changes: 14 additions & 0 deletions echo-mysql/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
services:
db-ssl:
image: mysql:latest
container_name: mysql-container
restart: always
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_DATABASE: uss
ports:
- "3306:3306"
volumes:
- ./certs:/etc/mysql/certs:ro
- ./custom.cnf:/etc/mysql/conf.d/custom.cnf:ro
user: "999:999"
9 changes: 5 additions & 4 deletions echo-mysql/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,17 @@ module github.com/hermione/echo-mysql
go 1.22.4

require (
github.com/go-sql-driver/mysql v1.9.3
github.com/itchyny/base58-go v0.2.2
github.com/joho/godotenv v1.5.1
github.com/labstack/echo v3.3.10+incompatible
gorm.io/driver/mysql v1.5.7
gorm.io/gorm v1.25.11
gorm.io/driver/mysql v1.6.0
gorm.io/gorm v1.31.0
)

require (
filippo.io/edwards25519 v1.1.0 // indirect
github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
github.com/go-sql-driver/mysql v1.7.0 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect
github.com/labstack/gommon v0.4.2 // indirect
Expand All @@ -23,5 +24,5 @@ require (
golang.org/x/crypto v0.24.0 // indirect
golang.org/x/net v0.21.0 // indirect
golang.org/x/sys v0.21.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/text v0.20.0 // indirect
)
19 changes: 10 additions & 9 deletions echo-mysql/go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
github.com/itchyny/base58-go v0.2.2 h1:pswMT6rW2nRoELk5Mi8+xGLQPmDnlNnCwbfRCl2p7Mo=
github.com/itchyny/base58-go v0.2.2/go.mod h1:e7aEDHyQXm42jniwyoi+MaUeUdeWp58C5H20rTe52co=
github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
Expand Down Expand Up @@ -37,12 +39,11 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gorm.io/driver/mysql v1.5.7 h1:MndhOPYOfEp2rHKgkZIhJ16eVUIRf2HmzgoPmh7FCWo=
gorm.io/driver/mysql v1.5.7/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
gorm.io/gorm v1.25.11 h1:/Wfyg1B/je1hnDx3sMkX+gAlxrlZpn6X0BXRlwXlvHg=
gorm.io/gorm v1.25.11/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
gorm.io/driver/mysql v1.6.0 h1:eNbLmNTpPpTOVZi8MMxCi2aaIm0ZpInbORNXDwyLGvg=
gorm.io/driver/mysql v1.6.0/go.mod h1:D/oCC2GWK3M/dqoLxnOlaNKmXz8WNTfcS9y5ovaSqKo=
gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
65 changes: 61 additions & 4 deletions echo-mysql/uss/store.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
package uss

import (
"crypto/tls"
"crypto/x509"
"fmt"
"log"
"os"
"time"

sql "github.com/go-sql-driver/mysql"
"gorm.io/driver/mysql"
"gorm.io/gorm"
"gorm.io/gorm/clause"
Expand All @@ -29,28 +32,82 @@ type Store struct {
db *gorm.DB
}

// Connect establishes a connection to the MySQL database and runs auto-migrations.
func registerTLSConfig(config map[string]string) error {
if sslMode, exists := config["MYSQL_SSL_MODE"]; exists && sslMode == "production" {
if caPath, exists := config["MYSQL_SSL_CA"]; exists && caPath != "" {
rootCertPool := x509.NewCertPool()
pem, err := os.ReadFile(caPath)
if err != nil {
return fmt.Errorf("failed to read CA file: %w", err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return fmt.Errorf("failed to append CA certs")
}

tlsConfig := &tls.Config{
RootCAs: rootCertPool,
InsecureSkipVerify: true,
}

if err := sql.RegisterTLSConfig(sslMode, tlsConfig); err != nil {
return fmt.Errorf("failed to register TLS config '%s': %w", sslMode, err)
}
return nil
}
}
return nil
}

func (s *Store) Connect(config map[string]string) error {
// Open up our database connection.
if err := registerTLSConfig(config); err != nil {
return fmt.Errorf("failed to register TLS config: %w", err)
}

var err error
sslMode := config["MYSQL_SSL_MODE"]
if sslMode == "" {
sslMode = "false"
}
mysqlDSN := fmt.Sprintf(
"%s:%s@tcp(%s:%s)/%s?charset=utf8&parseTime=True&loc=Local&tls=False",
"%s:%s@tcp(%s:%s)/%s?charset=utf8&parseTime=True&loc=Local&tls=%s",
config["MYSQL_USER"],
config["MYSQL_PASSWORD"],
config["MYSQL_HOST"],
config["MYSQL_PORT"],
config["MYSQL_DBNAME"],
sslMode,
)
s.db, err = gorm.Open(mysql.New(mysql.Config{
DSN: mysqlDSN,
DefaultStringSize: 256,
}), &gorm.Config{})
if err != nil {
return err
return fmt.Errorf("failed to connect to database: %w", err)
}

// Only enforce SSL verification if the mode is set to 'production'
if config["MYSQL_SSL_MODE"] == "production" {
var sslStatus string
var variableName string
err := s.db.Raw("SHOW STATUS LIKE 'Ssl_cipher'").Row().Scan(&variableName, &sslStatus)
if err != nil {
s.Close()
return fmt.Errorf("failed to verify SSL connection: %w", err)
}
if sslStatus == "" {
s.Close()
// The error is now correctly tied to the configuration requirement
return fmt.Errorf("CRITICAL: SSL connection required (MYSQL_SSL_MODE=production) but connection is UNENCRYPTED")
}
log.Printf("✅ SSL connection established with cipher: %s", sslStatus)
} else {
// For any other mode (like 'false'), just log a warning and continue
log.Printf("⚠️ SSL not required by config. Proceeding with a potentially unencrypted database connection.")
}

sqlDB, err := s.db.DB()
if err != nil {
s.Close()
return err
}

Expand Down
22 changes: 22 additions & 0 deletions mtls-app/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
FROM golang:1.22-alpine AS builder

WORKDIR /src

COPY go.mod ./
COPY cmd ./cmd

RUN go build -o /out/mtls-server ./cmd/server && \
go build -o /out/mtls-client ./cmd/client

FROM alpine:3.20

RUN apk add --no-cache ca-certificates

WORKDIR /app

COPY --from=builder /out/mtls-server /usr/local/bin/mtls-server
COPY --from=builder /out/mtls-client /usr/local/bin/mtls-client

ENV APP_BIN=mtls-server

ENTRYPOINT ["/bin/sh", "-c", "exec /usr/local/bin/${APP_BIN}"]
11 changes: 11 additions & 0 deletions mtls-app/Dockerfile.certs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
FROM alpine:3.20

RUN apk add --no-cache openssl

WORKDIR /work

COPY certs/generate-certs.sh /usr/local/bin/generate-certs.sh

RUN chmod +x /usr/local/bin/generate-certs.sh

ENTRYPOINT ["/usr/local/bin/generate-certs.sh"]
Loading
Loading