--- lbbs/src/database.c	2025/11/16 11:06:06	1.22
+++ lbbs/src/database.c	2025/11/27 11:24:46	1.27
@@ -13,10 +13,15 @@
 #include "common.h"
 #include "database.h"
 #include "log.h"
-#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
 #include <mysql.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
 
 // Global declaration for database
+char DB_ca_cert[FILE_PATH_LEN] = "conf/ca_cert.pem";
 char DB_host[DB_host_max_len + 1];
 char DB_username[DB_username_max_len + 1];
 char DB_password[DB_password_max_len + 1];
@@ -26,7 +31,14 @@ char DB_timezone[DB_timezone_max_len + 1
 MYSQL *db_open()
 {
 	MYSQL *db = NULL;
+#ifdef HAVE_MARIADB_CLIENT
+	my_bool verify_server_cert = 0;
+#else
+	unsigned int ssl_mode = SSL_MODE_PREFERRED;
+#endif
 	char sql[SQL_BUFFER_LEN];
+	int fd;
+	int have_ca_cert = 0;
 
 	db = mysql_init(NULL);
 	if (db == NULL)
@@ -35,6 +47,43 @@ MYSQL *db_open()
 		return NULL;
 	}
 
+	fd = open(DB_ca_cert, O_RDONLY);
+	if (fd == -1)
+	{
+		if (errno != ENOENT)
+		{
+			log_error("open(%s) error: %d\n", DB_ca_cert, errno);
+		}
+	}
+	else
+	{
+		close(fd);
+		have_ca_cert = 1;
+#ifndef HAVE_MARIADB_CLIENT
+		ssl_mode = SSL_MODE_VERIFY_CA;
+#endif
+	}
+
+	if (mysql_ssl_set(db, NULL, NULL, (have_ca_cert ? DB_ca_cert : NULL), NULL, NULL) != 0)
+	{
+		log_error("mysql_ssl_set() error\n");
+		return NULL;
+	}
+
+#ifdef HAVE_MARIADB_CLIENT
+	if (mysql_optionsv(db, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify_server_cert) != 0)
+	{
+		log_error("mysql_optionsv() error\n");
+		return NULL;
+	}
+#else
+	if (mysql_options(db, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0)
+	{
+		log_error("mysql_options() error\n");
+		return NULL;
+	}
+#endif
+
 	if (mysql_real_connect(db, DB_host, DB_username, DB_password, DB_database,
 						   0, NULL, 0) == NULL)
 	{