Add SSL/TLS configuration support for PostgreSQL and MySQL connections

This commit adds comprehensive SSL/TLS configuration capabilities for
PostgreSQL and MySQL database connections in ClickHouse, along with a
security fix for the MariaDB connector.

Changes:

1. MariaDB Connector/C Security Fix:
   - Updated submodule to aiven/mariadb-connector-c fork
   - Fixed X509_check_host call to include hostname length parameter
   - Prevents potential certificate validation bypass vulnerabilities

2. PostgreSQL SSL Configuration:
   - Added SSLMode enum (DISABLE, ALLOW, PREFER, REQUIRE, VERIFY_CA, VERIFY_FULL)
   - Added server settings:
     * postgresql_connection_pool_ssl_mode (default: PREFER)
     * postgresql_connection_pool_ssl_root_cert (default: empty)
   - Updated PoolWithFailover to accept SSL mode and CA certificate path
   - Modified formatConnectionString to include sslmode and sslrootcert parameters
   - Integrated SSL settings across all PostgreSQL integration points:
     * DatabasePostgreSQL
     * DatabaseMaterializedPostgreSQL
     * StoragePostgreSQL
     * StorageMaterializedPostgreSQL
     * TableFunctionPostgreSQL
     * PostgreSQLDictionarySource

3. MySQL SSL Configuration:
   - Added MySQLSSLMode enum (DISABLE, PREFER, VERIFY_FULL)
   - Updated Connection, Pool, and PoolWithFailover classes to accept SSL mode
   - Added ssl_mode and ssl_root_cert to StorageMySQL::Configuration
   - Enhanced MySQL dictionary source to support ssl_mode in named collections
   - Integrated SSL settings in MySQLHelpers and StorageMySQL

Security Benefits:
- Enables encrypted connections to prevent data interception
- Supports certificate validation to prevent man-in-the-middle attacks
- Provides flexible SSL mode selection for different security requirements
- Fixes critical certificate hostname validation bug in MariaDB connector

The changes maintain backward compatibility with default SSL mode set to
PREFER, which attempts SSL but falls back gracefully if unavailable.

Co-authored-by: Joe Lynch <joe.lynch@aiven.io>

Author: tilman-aiven

.gitmodules

@@ -30,7 +30,8 @@
 	url = https://github.com/google/re2
 [submodule "contrib/mariadb-connector-c"]
 	path = contrib/mariadb-connector-c
-	url = https://github.com/ClickHouse/mariadb-connector-c
+	url = https://github.com/aiven/mariadb-connector-c
+	branch = aiven/clickhouse-v25.8.12.129
 [submodule "contrib/jemalloc"]
 	path = contrib/jemalloc
 	url = https://github.com/jemalloc/jemalloc

contrib/mariadb-connector-c

@@ -4,6 +4,7 @@
 #include <mysql/mysql.h>
 #endif
 
+#include <Core/SettingsEnums.h>
 #include <mysqlxx/Connection.h>
 #include <mysqlxx/Exception.h>
 
@@ -49,13 +50,14 @@ Connection::Connection(
     const char* ssl_ca,
     const char* ssl_cert,
     const char* ssl_key,
+    DB::MySQLSSLMode ssl_mode,
     unsigned timeout,
     unsigned rw_timeout,
     bool enable_local_infile,
     bool opt_reconnect)
     : Connection()
 {
-    connect(db, server, user, password, port, socket, ssl_ca, ssl_cert, ssl_key, timeout, rw_timeout, enable_local_infile, opt_reconnect);
+    connect(db, server, user, password, port, socket, ssl_ca, ssl_cert, ssl_key, ssl_mode, timeout, rw_timeout, enable_local_infile, opt_reconnect);
 }
 
 Connection::Connection(const std::string & config_name)
@@ -79,6 +81,7 @@ void Connection::connect(const char* db,
     const char * ssl_ca,
     const char * ssl_cert,
     const char * ssl_key,
+    DB::MySQLSSLMode ssl_mode,
     unsigned timeout,
     unsigned rw_timeout,
     bool enable_local_infile,
@@ -111,8 +114,15 @@ void Connection::connect(const char* db,
         throw ConnectionFailed(errorMessage(driver.get()), mysql_errno(driver.get()));
 
     /// Specifies particular ssl key and certificate if it needs
-    if (mysql_ssl_set(driver.get(), ifNotEmpty(ssl_key), ifNotEmpty(ssl_cert), ifNotEmpty(ssl_ca), nullptr, nullptr))
-        throw ConnectionFailed(errorMessage(driver.get()), mysql_errno(driver.get()));
+    if (ssl_mode != DB::MySQLSSLMode::DISABLE) {
+        if (mysql_ssl_set(driver.get(), ifNotEmpty(ssl_key), ifNotEmpty(ssl_cert), ifNotEmpty(ssl_ca), nullptr, nullptr))
+            throw ConnectionFailed(errorMessage(driver.get()), mysql_errno(driver.get()));
+    }
+    if (ssl_mode == DB::MySQLSSLMode::VERIFY_FULL) {
+        static const char enable = 1;
+        if (mysql_options(driver.get(), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &enable))
+            throw ConnectionFailed(errorMessage(driver.get()), mysql_errno(driver.get()));
+    }
 
     if (!mysql_real_connect(driver.get(), server, user, password, db, port, ifNotEmpty(socket), driver->client_flag))
         throw ConnectionFailed(errorMessage(driver.get()), mysql_errno(driver.get()));

src/Common/mysqlxx/Connection.cpp

@@ -135,6 +135,7 @@ Pool::Pool(
      const std::string & ssl_ca_,
      const std::string & ssl_cert_,
      const std::string & ssl_key_,
+     DB::MySQLSSLMode ssl_mode_,
      const std::string & socket_,
      unsigned connect_timeout_,
      unsigned rw_timeout_,
@@ -155,6 +156,7 @@ Pool::Pool(
     , ssl_ca(ssl_ca_)
     , ssl_cert(ssl_cert_)
     , ssl_key(ssl_key_)
+    , ssl_mode(ssl_mode_)
     , enable_local_infile(enable_local_infile_)
     , opt_reconnect(opt_reconnect_)
 {
@@ -311,6 +313,7 @@ void Pool::Entry::forceConnected() const
                 pool->ssl_ca.c_str(),
                 pool->ssl_cert.c_str(),
                 pool->ssl_key.c_str(),
+                pool->ssl_mode,
                 pool->connect_timeout,
                 pool->rw_timeout,
                 pool->enable_local_infile,
@@ -387,6 +390,7 @@ Pool::Connection * Pool::allocConnection(bool dont_throw_if_failed_first_time)
             ssl_ca.c_str(),
             ssl_cert.c_str(),
             ssl_key.c_str(),
+            ssl_mode,
             connect_timeout,
             rw_timeout,
             enable_local_infile,

src/Common/mysqlxx/Pool.cpp

@@ -7,6 +7,7 @@
 #include <pcg_random.hpp>
 #include <mysqlxx/PoolWithFailover.h>
 #include <Common/randomSeed.h>
+#include <Core/SettingsEnums.h>
 #include <IO/WriteBufferFromString.h>
 #include <IO/Operators.h>
 
@@ -124,6 +125,7 @@ PoolWithFailover::PoolWithFailover(
         const std::string & ssl_ca,
         const std::string & ssl_cert,
         const std::string & ssl_key,
+        DB::MySQLSSLMode ssl_mode,
         unsigned default_connections_,
         unsigned max_connections_,
         size_t max_tries_,
@@ -140,7 +142,7 @@ PoolWithFailover::PoolWithFailover(
     for (const auto & [host, port] : addresses)
     {
         replicas_by_priority[0].emplace_back(std::make_shared<Pool>(database,
-            host, user, password, port, ssl_ca, ssl_cert, ssl_key,
+            host, user, password, port, ssl_ca, ssl_cert, ssl_key, ssl_mode,
             /* socket_ = */ "",
             connect_timeout_,
             rw_timeout_,

src/Common/mysqlxx/PoolWithFailover.cpp

@@ -5,6 +5,7 @@
 
 #include <Poco/Util/Application.h>
 
+#include <Core/SettingsEnums.h>
 
 #include <mysqlxx/Query.h>
 #include <mysqlxx/Exception.h>
@@ -78,6 +79,7 @@ class Connection final : private boost::noncopyable
         const char * ssl_ca = "",
         const char * ssl_cert = "",
         const char * ssl_key = "",
+        DB::MySQLSSLMode ssl_mode = DB::MySQLSSLMode::PREFER,
         unsigned timeout = MYSQLXX_DEFAULT_TIMEOUT,
         unsigned rw_timeout = MYSQLXX_DEFAULT_RW_TIMEOUT,
         bool enable_local_infile = MYSQLXX_DEFAULT_ENABLE_LOCAL_INFILE,
@@ -99,6 +101,7 @@ class Connection final : private boost::noncopyable
         const char* ssl_ca,
         const char* ssl_cert,
         const char* ssl_key,
+        DB::MySQLSSLMode ssl_mode = DB::MySQLSSLMode::PREFER,
         unsigned timeout = MYSQLXX_DEFAULT_TIMEOUT,
         unsigned rw_timeout = MYSQLXX_DEFAULT_RW_TIMEOUT,
         bool enable_local_infile = MYSQLXX_DEFAULT_ENABLE_LOCAL_INFILE,
@@ -140,6 +143,7 @@ class Connection final : private boost::noncopyable
                 ssl_ca.c_str(),
                 ssl_cert.c_str(),
                 ssl_key.c_str(),
+                DB::MySQLSSLMode::PREFER,
                 timeout,
                 rw_timeout,
                 enable_local_infile,

src/Common/mysqlxx/mysqlxx/Connection.h

@@ -10,6 +10,7 @@
 #include <Poco/Exception.h>
 #include <Poco/Logger.h>
 
+#include <Core/SettingsEnums.h>
 #include <mysqlxx/Connection.h>
 
 
@@ -158,6 +159,7 @@ class Pool final
          const std::string & ssl_ca_ = "",
          const std::string & ssl_cert_ = "",
          const std::string & ssl_key_ = "",
+         DB::MySQLSSLMode ssl_mode_ = DB::MySQLSSLMode::PREFER,
          const std::string & socket_ = "",
          unsigned connect_timeout_ = MYSQLXX_DEFAULT_TIMEOUT,
          unsigned rw_timeout_ = MYSQLXX_DEFAULT_RW_TIMEOUT,
@@ -173,7 +175,7 @@ class Pool final
           user{other.user}, password{other.password},
           port{other.port}, socket{other.socket},
           connect_timeout{other.connect_timeout}, rw_timeout{other.rw_timeout},
-          ssl_ca(other.ssl_ca), ssl_cert(other.ssl_cert), ssl_key(other.ssl_key),
+          ssl_ca(other.ssl_ca), ssl_cert(other.ssl_cert), ssl_key(other.ssl_key), ssl_mode{other.ssl_mode},
           enable_local_infile{other.enable_local_infile}, opt_reconnect(other.opt_reconnect)
     {}
 
@@ -235,6 +237,7 @@ class Pool final
     std::string ssl_ca;
     std::string ssl_cert;
     std::string ssl_key;
+    DB::MySQLSSLMode ssl_mode;
     bool enable_local_infile;
     bool opt_reconnect;
 

src/Common/mysqlxx/mysqlxx/Pool.h

@@ -1,5 +1,6 @@
 #pragma once
 
+#include <Core/SettingsEnums.h>
 #include <mysqlxx/Pool.h>
 
 
@@ -126,6 +127,7 @@ namespace mysqlxx
             const std::string & ssl_ca,
             const std::string & ssl_cert,
             const std::string & ssl_key,
+            DB::MySQLSSLMode ssl_mode,
             unsigned default_connections_ = MYSQLXX_POOL_WITH_FAILOVER_DEFAULT_START_CONNECTIONS,
             unsigned max_connections_ = MYSQLXX_POOL_WITH_FAILOVER_DEFAULT_MAX_CONNECTIONS,
             size_t max_tries_ = MYSQLXX_POOL_WITH_FAILOVER_DEFAULT_MAX_TRIES,

src/Common/mysqlxx/mysqlxx/PoolWithFailover.h

@@ -21,6 +21,24 @@ namespace ErrorCodes
 }
 }
 
+static std::pair<DB::SSLMode, String>
+get_ssl_context(const DB::StoragePostgreSQL::Configuration & configuration, const DB::SSLMode & ssl_mode_, const String & ssl_root_cert_)
+{
+    DB::SSLMode ssl_mode;
+    String ssl_root_cert;
+    if (configuration.ssl_mode)
+    {
+        ssl_mode = configuration.ssl_mode.value();
+        ssl_root_cert = configuration.ssl_root_cert;
+    }
+    else
+    {
+        ssl_mode = ssl_mode_;
+        ssl_root_cert = ssl_root_cert_;
+    }
+    return {ssl_mode, ssl_root_cert};
+}
+
 namespace postgres
 {
 
@@ -89,6 +107,8 @@ PoolWithFailover::PoolWithFailover(
     size_t max_tries_,
     bool auto_close_connection_,
     size_t connection_attempt_timeout_,
+    const SSLMode & ssl_mode_,
+    const String & ssl_root_cert_,
     bool bg_reconnect_)
     : pool_wait_timeout(pool_wait_timeout_)
     , max_tries(max_tries_)
@@ -102,13 +122,16 @@ PoolWithFailover::PoolWithFailover(
     {
         for (const auto & replica_configuration : configurations)
         {
+            const auto& [ssl_mode, ssl_root_cert] = get_ssl_context(replica_configuration, ssl_mode_, ssl_root_cert_);
             auto connection_info = formatConnectionString(
                 replica_configuration.database,
                 replica_configuration.host,
                 replica_configuration.port,
                 replica_configuration.username,
                 replica_configuration.password,
-                connection_attempt_timeout_);
+                connection_attempt_timeout_,
+                ssl_mode,
+                ssl_root_cert);
             replicas_with_priority[priority].emplace_back(std::make_shared<PoolHolder>(connection_info, pool_size));
             if (bg_reconnect)
                 DB::ReplicasReconnector::instance().add(connectionReestablisher(std::weak_ptr(replicas_with_priority[priority].back()), pool_wait_timeout));
@@ -123,6 +146,8 @@ PoolWithFailover::PoolWithFailover(
     size_t max_tries_,
     bool auto_close_connection_,
     size_t connection_attempt_timeout_,
+    const SSLMode & ssl_mode_,
+    const String & ssl_root_cert_,
     bool bg_reconnect_)
     : pool_wait_timeout(pool_wait_timeout_)
     , max_tries(max_tries_)
@@ -136,13 +161,16 @@ PoolWithFailover::PoolWithFailover(
     for (const auto & [host, port] : configuration.addresses)
     {
         LOG_DEBUG(getLogger("PostgreSQLPoolWithFailover"), "Adding address host: {}, port: {} to connection pool", host, port);
+        const auto& [ssl_mode, ssl_root_cert] = get_ssl_context(configuration, ssl_mode_, ssl_root_cert_);
         auto connection_string = formatConnectionString(
             configuration.database,
             host,
             port,
             configuration.username,
             configuration.password,
-            connection_attempt_timeout_);
+            connection_attempt_timeout_,
+            ssl_mode,
+            ssl_root_cert);
         replicas_with_priority[0].emplace_back(std::make_shared<PoolHolder>(connection_string, pool_size));
         if (bg_reconnect)
             DB::ReplicasReconnector::instance().add(connectionReestablisher(std::weak_ptr(replicas_with_priority[0].back()), pool_wait_timeout));

src/Core/PostgreSQL/PoolWithFailover.cpp

@@ -8,15 +8,20 @@
 
 #include <Core/PostgreSQL/ConnectionHolder.h>
 #include <mutex>
+#include <Core/SettingsEnums.h>
 #include <Poco/Util/AbstractConfiguration.h>
 #include <Storages/StoragePostgreSQL.h>
 
 
 static constexpr inline auto POSTGRESQL_POOL_DEFAULT_SIZE = 16;
 static constexpr inline auto POSTGRESQL_POOL_WAIT_TIMEOUT = 5000;
+static constexpr inline auto POSTGRESQL_POOL_DEFAULT_CONNECT_TIMEOUT_SEC = 10;
+static constexpr inline auto POSTGRESQL_POOL_DEFAULT_SSL_MODE = DB::SSLMode::PREFER;
+static constexpr inline auto POSTGRESQL_POOL_DEFAULT_SSL_ROOT_CERT = "";
 
 namespace postgres
 {
+  using SSLMode = DB::SSLMode;
 
 class PoolWithFailover
 {
@@ -31,6 +36,8 @@ class PoolWithFailover
         size_t max_tries_,
         bool auto_close_connection_,
         size_t connection_attempt_timeout_,
+        const SSLMode & ssl_mode_,
+        const String & ssl_root_cert_,
         bool bg_reconnect_ = false);
 
     explicit PoolWithFailover(
@@ -40,6 +47,8 @@ class PoolWithFailover
         size_t max_tries_,
         bool auto_close_connection_,
         size_t connection_attempt_timeout_,
+        const SSLMode & ssl_mode_,
+        const String & ssl_root_cert_,
         bool bg_reconnect_ = false);
 
     PoolWithFailover(const PoolWithFailover & other) = delete;