php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72048 No way to disable peer name verification
Submitted: 2016-04-18 14:11 UTC Modified: -
Votes:58
Avg. Score:3.4 ± 1.0
Reproduced:32 of 36 (88.9%)
Same Version:25 (78.1%)
Same OS:21 (65.6%)
From: michal at cihar dot com Assigned:
Status: Open Package: MySQLi related
PHP Version: 7.0Git-2016-04-18 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: michal at cihar dot com
New email:
PHP Version: OS:

 

 [2016-04-18 14:11 UTC] michal at cihar dot com
Description:
------------
Currently the MySQLi driver only allows to validate SSL certificate and whether it matches provided CN or skip both of these. This leads to insecure setup in many cases as you have to disable SSL verification in order to workaround CN/hostname mismatch (which is quite usual with cloud providers as CN contains name of the instance and you connect using IP address, this is true for example for Google Cloud SQL), what makes using SSL pretty much useless as you're open to MITM attacks.

What is missing is separate control to disable only ssl.verify_peer_name as you still want to verify the server certificate.

See also https://bugs.php.net/bug.php?id=68344


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-05 06:01 UTC] alivai1976 at gmail dot com
The following pull request has been associated:

Patch Name: Fix #79133 - Replace <literal> with <code>
On GitHub:  https://github.com/php/doc-en/pull/23
Patch:      https://github.com/php/doc-en/pull/23.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC