[Koha] TLS MySQL Connection Without Mutual Authentication

[Schetnan, Richard Reed]

Hello,

We've successfully connected our Koha site (version 22.11.12.000) to an Azure Database for MySQL flexible server without TLS encryption, but we've been unable to connect to the Azure MySQL database with TLS encryption enabled and required.  The reason for this appears to be that Koha seems to require mutual TLS, which is not supported by the Azure MySQL database. According to the Microsoft documentation (https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-connect-tls-ssl), TLS clients use a public SSL CA certificate to allow for encrypted communication, and clients are authenticated at the server by usernames and passwords. This all works great from the MySQL command line interface. But in Koha, the koha-conf.xml configuration file calls for a CA certificate and also for client and client key certificates for client authentication with mutual TLS.  This works for a local MySQL database but not for a remote Azure MySQL database because the Azure MySQL database does not provide a way to configure the CA certificate, server public key certificate, and server private key, which must be configured correctly for mutual TLS to work .

Is there a way to connect to a remote MySQL database with TLS through the use of a CA certificate for encryption and username and password for authentication and without mutual TLS (that is, without the use of certificates and keys for authentication)? If not, can we put in a bug fix to enable and allow that functionality?

Thanks!

Richard