diff --git a/.github/workflows/ssl-db.yml b/.github/workflows/ssl-db.yml
new file mode 100644
index 0000000000..d02233c08b
--- /dev/null
+++ b/.github/workflows/ssl-db.yml
@@ -0,0 +1,68 @@
+name: database-connection-via-ssl
+
+on:
+ push:
+ branches: master
+ pull_request:
+
+jobs:
+ mariadb:
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ python-version: [3.8]
+
+ steps:
+ - uses: actions/checkout@v3
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v4
+ with:
+ python-version: ${{ matrix.python-version }}
+
+ - name: Generate DB certificates
+ run: |
+ # docker run -v $(pwd)/tests/db-certs/:/Kiwi/db-certs/:Z --rm -i kiwitcms/kiwi \
+ # /usr/bin/sscg \
+ # -v -f \
+ # --country BG --locality Sofia \
+ # --organization "Kiwi TCMS" \
+ # --organizational-unit "DevOps" \
+ # --ca-file /Kiwi/db-certs/ca.crt \
+ # --ca-key-file /Kiwi/db-certs/ca.key \
+ # --cert-file /Kiwi/db-certs/server.crt \
+ # --cert-key-file /Kiwi/db-certs/server.key
+ # re-enable & add client cert when https://github.com/sgallagher/sscg/issues/3 is fixed
+ pushd ./tests/ && ./gen-db-certs.sh && popd
+
+ - name: Create database
+ run: |
+ docker-compose -f docker-compose.mariadb-ssl pull db
+ docker-compose -f docker-compose.mariadb-ssl run -d -p 3306:3306 --name kiwi_db db
+ sleep 20 # wait to initialize
+
+ set -e
+ docker exec -i kiwi_db mariadb -u root -pkiwi-1s-aw3s0m3 \
+ --ssl-ca=/etc/certs/ca.pem \
+ --ssl-cert=/etc/certs/client-cert.pem \
+ --ssl-key=/etc/certs/client-key.pem -e 'status' | grep "Cipher in use is"
+
+ - name: Initialize DB tables & records
+ run: |
+ sudo apt-get update
+ sudo apt-get install gettext
+
+ sudo mkdir /Kiwi
+ sudo chmod a+w /Kiwi
+
+ pip install -r requirements/devel.txt
+ pip install -r requirements/mariadb.txt
+ pushd tcms/ && npm install && popd
+
+ export LANG=bg-bg
+ set -e
+ coverage run --source='.' ./manage.py migrate -v2 --noinput --settings tcms.settings.test.mariadb
+
+ - name: Send coverage to codecov.io
+ run: |
+ coverage report -m
+ bash <(curl -s https://codecov.io/bash)
diff --git a/.gitignore b/.gitignore
index 4bb4c37d48..ec886d5579 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,4 +16,5 @@ docs/target/
.vscode/
.cache/
tcms/node_modules/
+tests/db-certs/*.pem
package-lock.json
diff --git a/check-ssl.py b/check-ssl.py
new file mode 100755
index 0000000000..5b2608fc03
--- /dev/null
+++ b/check-ssl.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+import MySQLdb
+
+config = {
+ "user": "kiwi",
+ "password": "kiwi",
+ "host": "127.0.0.1",
+ "ssl": {
+ # 'ca': '/home/senko/Kiwi/tests/db-certs/ca.pem',
+ # 'cert': '/home/senko/Kiwi/tests/db-certs/client-cert.pem',
+ # 'key': '/home/senko/Kiwi/tests/db-certs/client-key.pem',
+ },
+}
+
+db = MySQLdb.connect(**config)
+cur = db.cursor()
+cur.execute("SHOW STATUS LIKE 'Ssl_cipher'")
+print(cur.fetchone())
+cur.close()
+db.close()
diff --git a/docker-compose.mariadb-ssl b/docker-compose.mariadb-ssl
new file mode 100644
index 0000000000..b427ca8f08
--- /dev/null
+++ b/docker-compose.mariadb-ssl
@@ -0,0 +1,24 @@
+version: '2'
+
+services:
+ db:
+ container_name: kiwi_db
+ image: mariadb:latest
+ command: [ "--character-set-server=utf8mb4",
+ "--collation-server=utf8mb4_unicode_ci",
+ "--require-secure-transport=ON",
+ "--ssl-ca=/etc/certs/ca.pem",
+ "--ssl-cert=/etc/certs/server-cert.pem",
+ "--ssl-key=/etc/certs/server-key.pem" ]
+ volumes:
+ - db_data:/var/lib/mysql
+ - ./tests/db-certs/:/etc/certs/
+ restart: always
+ environment:
+ MYSQL_ROOT_PASSWORD: kiwi-1s-aw3s0m3
+ MYSQL_DATABASE: kiwi
+ MYSQL_USER: kiwi
+ MYSQL_PASSWORD: kiwi
+
+volumes:
+ db_data:
diff --git a/tests/gen-db-certs.sh b/tests/gen-db-certs.sh
new file mode 100755
index 0000000000..1252ae77e3
--- /dev/null
+++ b/tests/gen-db-certs.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+OPENSSL_SUBJ="/C=BG/ST=Sofia/L=Sofia"
+OPENSSL_CA="${OPENSSL_SUBJ}/CN=fake-CA"
+OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=fake-server"
+OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=fake-client"
+
+mkdir -p db-certs/
+pushd db-certs/
+
+# Generate new CA certificate ca.pem file.
+openssl genrsa 2048 > ca-key.pem
+
+# TODO This has interaction that must be automated
+openssl req -new -x509 -nodes -days 3600 \
+ -subj "${OPENSSL_CA}" \
+ -key ca-key.pem -out ca.pem
+
+
+# Create the server-side certificates
+# This has more interaction that must be automated
+
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+ -subj "${OPENSSL_SERVER}" \
+ -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+ -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+
+# Create the client-side certificates
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+ -subj "${OPENSSL_CLIENT}" \
+ -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+ -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
+
+# Verify the certificates are correct
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
+
+# make the keys readable b/c we're having issues with uid/gid inside the containers
+chmod 644 client-key.pem server-key.pem ca-key.pem
+popd