--- lbbs/src/database.c	2025/11/04 13:49:51	1.18
+++ lbbs/src/database.c	2025/11/26 14:38:27	1.26
@@ -3,26 +3,41 @@
  * database
  *   - configuration and function of DB connection
  *
- * Copyright (C) 2004-2025 by Leaflet <leaflet@leafok.com>
+ * Copyright (C) 2004-2025  Leaflet <leaflet@leafok.com>
  */
 
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
 #include "common.h"
 #include "database.h"
 #include "log.h"
+#include <errno.h>
+#include <fcntl.h>
+#include <mysql.h>
 #include <stdio.h>
-#include <mysql/mysql.h>
+#include <string.h>
+#include <sys/stat.h>
 
 // Global declaration for database
-char DB_host[256];
-char DB_username[50];
-char DB_password[50];
-char DB_database[50];
-char DB_timezone[50];
+char DB_ca_cert[FILE_PATH_LEN] = "conf/ca_cert.pem";
+char DB_host[DB_host_max_len + 1];
+char DB_username[DB_username_max_len + 1];
+char DB_password[DB_password_max_len + 1];
+char DB_database[DB_database_max_len + 1];
+char DB_timezone[DB_timezone_max_len + 1];
 
 MYSQL *db_open()
 {
 	MYSQL *db = NULL;
+#ifdef HAVE_MARIADB_CLIENT
+	my_bool verify_server_cert = 0;
+#else
+	unsigned int ssl_mode = SSL_MODE_PREFERRED;
+#endif
 	char sql[SQL_BUFFER_LEN];
+	int fd;
 
 	db = mysql_init(NULL);
 	if (db == NULL)
@@ -31,6 +46,42 @@ MYSQL *db_open()
 		return NULL;
 	}
 
+	fd = open(DB_ca_cert, O_RDONLY);
+	if (fd == -1)
+	{
+		if (errno != ENOENT)
+		{
+			log_error("open(%s) error: %d\n", DB_ca_cert, errno);
+		}
+	}
+	else
+	{
+		close(fd);
+#ifndef HAVE_MARIADB_CLIENT
+		ssl_mode = SSL_MODE_VERIFY_CA;
+#endif
+	}
+
+	if (mysql_ssl_set(db, NULL, NULL, DB_ca_cert, NULL, NULL) != 0)
+	{
+		log_error("mysql_ssl_set() error\n");
+		return NULL;
+	}
+
+#ifdef HAVE_MARIADB_CLIENT
+	if (mysql_optionsv(db, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify_server_cert) != 0)
+	{
+		log_error("mysql_optionsv() error\n");
+		return NULL;
+	}
+#else
+	if (mysql_options(db, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0)
+	{
+		log_error("mysql_options() error\n");
+		return NULL;
+	}
+#endif
+
 	if (mysql_real_connect(db, DB_host, DB_username, DB_password, DB_database,
 						   0, NULL, 0) == NULL)
 	{