Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MySQLi SSL verify #1219

Closed
puschie286 opened this issue Sep 14, 2018 · 3 comments
Closed

MySQLi SSL verify #1219

puschie286 opened this issue Sep 14, 2018 · 3 comments
Labels
bug Verified issues on the current code behavior or pull requests that will fix them database Issues or pull requests that affect the database layer

Comments

@puschie286
Copy link
Contributor

puschie286 commented Sep 14, 2018
edited
Loading

I found some problems with the ssl verify -> currently you apply the "ssl_verify" config with the "options" method. This seems not to work for the new mysql version.

my workaround is to apply the config by set client_flag to MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT or MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT.

dont know if this is always required to establish a ssl connection but it was the only possible way for us

Context

  • OS: Win10
  • Web server: Apache 2.4.29_64
  • PHP version: 7.2.3_64
  • MySQL Server: 8.0.12_64
@jim-parry jim-parry added the bug Verified issues on the current code behavior or pull requests that will fix them label Oct 19, 2018
@jim-parry jim-parry added the database Issues or pull requests that affect the database layer label Dec 10, 2018
@jim-parry jim-parry added this to the 4.0.0-beta.2 milestone Mar 5, 2019
@atishhamte
Copy link
Contributor

There are no changes made by the MySQL community in MySQL 8 implementation in case of mysql_real_connect with SSL.
If the code flow works for MySQL 5.7 then it should work with MySQL 8 as well.

The changes asked by @puschie286 are already there in the code like setting a VERIFY and DONT VERIFY,

if (is_array($this->encrypt))
{
    $ssl                                                  = [];
    empty($this->encrypt['ssl_key']) || $ssl['key']       = $this->encrypt['ssl_key'];
    empty($this->encrypt['ssl_cert']) || $ssl['cert']     = $this->encrypt['ssl_cert'];
    empty($this->encrypt['ssl_ca']) || $ssl['ca']         = $this->encrypt['ssl_ca'];
    empty($this->encrypt['ssl_capath']) || $ssl['capath'] = $this->encrypt['ssl_capath'];
    empty($this->encrypt['ssl_cipher']) || $ssl['cipher'] = $this->encrypt['ssl_cipher'];
    if (! empty($ssl))
    {
        if (isset($this->encrypt['ssl_verify']))
        {
            if ($this->encrypt['ssl_verify'])
            {
                defined('MYSQLI_OPT_SSL_VERIFY_SERVER_CERT') &&
                    $this->mysqli->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
            }
            // Apparently (when it exists), setting MYSQLI_OPT_SSL_VERIFY_SERVER_CERT
            // to FALSE didn't do anything, so PHP 5.6.16 introduced yet another
            // constant ...
            //
            // https://secure.php.net/ChangeLog-5.php#5.6.16
            // https://bugs.php.net/bug.php?id=68344
            elseif (defined('MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'))
            {
                $this->mysqli->options(MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT, true);
            }
        }
        $client_flags |= MYSQLI_CLIENT_SSL;
        $this->mysqli->ssl_set(
            $ssl['key'] ?? null, $ssl['cert'] ?? null, $ssl['ca'] ?? null,
            $ssl['capath'] ?? null, $ssl['cipher'] ?? null
        );
    }
}

@puschie286
Copy link
Contributor Author

you have it as option but not as flag.
MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT is a connection flag not an option
only MYSQLI_OPT_SSL_VERIFY_SERVER_CERT is an option

https://www.php.net/manual/de/mysqli.options.php
https://www.php.net/manual/de/mysqli.real-connect.php

@puschie286
Copy link
Contributor Author

not sure why but we also use MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT instead of MYSQLI_CLIENT_SSL flag

@atishhamte atishhamte mentioned this issue Mar 29, 2019
Merged
4 tasks
lonnieezell added a commit that referenced this issue Apr 1, 2019
@lonnieezell
Merge pull request #1896 from atishamte/mysql_connection
e80811a 
Mysql connection issue with MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT #1219
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified issues on the current code behavior or pull requests that will fix them database Issues or pull requests that affect the database layer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lonnieezell @puschie286 @jim-parry @atishhamte