From f815a9cf2ab40921b1936b2ae76f21c89e793f7c Mon Sep 17 00:00:00 2001
From: Michal Kleiner <mk@011.nz>
Date: Sun, 21 May 2023 20:12:52 +1200
Subject: [PATCH 1/2] FIX Provide correct replacement suggestion in deprecation
 message

---
 src/Core/Config/Configurable.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Config/Configurable.php b/src/Core/Config/Configurable.php
index 6cc007bdb..8d96ef846 100644
--- a/src/Core/Config/Configurable.php
+++ b/src/Core/Config/Configurable.php
@@ -31,7 +31,7 @@ trait Configurable
      */
     public function stat($name)
     {
-        Deprecation::notice('5.0', 'Use ->get');
+        Deprecation::notice('5.0', 'Use ->config()->get()');
         return $this->config()->get($name);
     }
 

From c4b8d9a246c270c9bf1c4cd95a2bbbbfef79b4fa Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <36352093+GuySartorelli@users.noreply.github.com>
Date: Mon, 22 May 2023 12:40:59 +1200
Subject: [PATCH 2/2] FIX Add back missing SSL support for database connections
 (#10784)

---
 src/Core/CoreKernel.php                       | 24 +++++++++++++++++++
 .../MySQLDatabaseConfigurationHelper.php      | 14 +++++------
 src/ORM/Connect/MySQLiConnector.php           | 15 ++++++------
 3 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/src/Core/CoreKernel.php b/src/Core/CoreKernel.php
index c16d75999..98889d915 100644
--- a/src/Core/CoreKernel.php
+++ b/src/Core/CoreKernel.php
@@ -6,6 +6,7 @@ use SilverStripe\Control\HTTPResponse_Exception;
 use SilverStripe\Dev\Install\DatabaseAdapterRegistry;
 use SilverStripe\ORM\DB;
 use Exception;
+use LogicException;
 
 /**
  * Simple Kernel container
@@ -116,6 +117,29 @@ class CoreKernel extends BaseKernel
             "password" => Environment::getEnv('SS_DATABASE_PASSWORD') ?: null,
         ];
 
+        // Only add SSL keys in the array if there is an actual value associated with them
+        $sslConf = [
+            'ssl_key' => 'SS_DATABASE_SSL_KEY',
+            'ssl_cert' => 'SS_DATABASE_SSL_CERT',
+            'ssl_ca' => 'SS_DATABASE_SSL_CA',
+            'ssl_cipher' => 'SS_DATABASE_SSL_CIPHER',
+        ];
+        foreach ($sslConf as $key => $envVar) {
+            $envValue = Environment::getEnv($envVar);
+            if ($envValue) {
+                $databaseConfig[$key] = $envValue;
+            }
+        }
+
+        // Having only the key or cert without the other is bad configuration.
+        if ((isset($databaseConfig['ssl_key']) && !isset($databaseConfig['ssl_cert']))
+            || (!isset($databaseConfig['ssl_key']) && isset($databaseConfig['ssl_cert']))
+        ) {
+            user_error('Database SSL cert and key must both be defined to use SSL in the database.', E_USER_WARNING);
+            unset($databaseConfig['ssl_key']);
+            unset($databaseConfig['ssl_cert']);
+        }
+
         // Set the port if called for
         $dbPort = Environment::getEnv('SS_DATABASE_PORT');
         if ($dbPort) {
diff --git a/src/Dev/Install/MySQLDatabaseConfigurationHelper.php b/src/Dev/Install/MySQLDatabaseConfigurationHelper.php
index 22552a9b5..16995a2b8 100644
--- a/src/Dev/Install/MySQLDatabaseConfigurationHelper.php
+++ b/src/Dev/Install/MySQLDatabaseConfigurationHelper.php
@@ -35,15 +35,15 @@ class MySQLDatabaseConfigurationHelper implements DatabaseConfigurationHelper
                 case 'MySQLDatabase':
                     $conn = mysqli_init();
 
-                    // Set SSL parameters if they exist. All parameters are required.
-                    if (array_key_exists('ssl_key', $databaseConfig) &&
-                        array_key_exists('ssl_cert', $databaseConfig) &&
-                        array_key_exists('ssl_ca', $databaseConfig)
+                    // Set SSL parameters if they exist.
+                    // Must have both the SSL cert and key, or the common authority, or preferably all three.
+                    if ((array_key_exists('ssl_key', $databaseConfig) && array_key_exists('ssl_cert', $databaseConfig))
+                        || array_key_exists('ssl_ca', $databaseConfig)
                     ) {
                         $conn->ssl_set(
-                            $databaseConfig['ssl_key'],
-                            $databaseConfig['ssl_cert'],
-                            $databaseConfig['ssl_ca'],
+                            $databaseConfig['ssl_key'] ?? null,
+                            $databaseConfig['ssl_cert'] ?? null,
+                            $databaseConfig['ssl_ca'] ?? null,
                             dirname($databaseConfig['ssl_ca']),
                             array_key_exists('ssl_cipher', $databaseConfig)
                                 ? $databaseConfig['ssl_cipher']
diff --git a/src/ORM/Connect/MySQLiConnector.php b/src/ORM/Connect/MySQLiConnector.php
index b4ab7b697..20a45d97c 100644
--- a/src/ORM/Connect/MySQLiConnector.php
+++ b/src/ORM/Connect/MySQLiConnector.php
@@ -96,14 +96,15 @@ class MySQLiConnector extends DBConnector
             );
         }
 
-        // Set SSL parameters if they exist. All parameters are required.
-        if (array_key_exists('ssl_key', $parameters ?? []) &&
-            array_key_exists('ssl_cert', $parameters ?? []) &&
-            array_key_exists('ssl_ca', $parameters ?? [])) {
+        // Set SSL parameters if they exist.
+        // Must have both the SSL cert and key, or the common authority, or preferably all three.
+        if ((array_key_exists('ssl_key', $parameters ?? []) && array_key_exists('ssl_cert', $parameters ?? []))
+            || array_key_exists('ssl_ca', $parameters ?? [])
+        ) {
             $this->dbConn->ssl_set(
-                $parameters['ssl_key'],
-                $parameters['ssl_cert'],
-                $parameters['ssl_ca'],
+                $parameters['ssl_key'] ?? null,
+                $parameters['ssl_cert'] ?? null,
+                $parameters['ssl_ca'] ?? null,
                 dirname($parameters['ssl_ca'] ?? ''),
                 array_key_exists('ssl_cipher', $parameters ?? [])
                     ? $parameters['ssl_cipher']