PHP :: Doc Bug #80436 :: MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER

MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER_CERT

Submitted:

2020-11-28 11:09 UTC

Modified:

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

Patrick dot Messier at canada dot ca

Assigned:

Status:

Open

Package:

PDO MySQL

PHP Version:

7.4.13

OS:

debian buster

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	Patrick dot Messier at canada dot ca
New email:
PHP Version:		OS:

New/Additional Comment:

[2020-11-28 11:09 UTC] Patrick dot Messier at canada dot ca

Description:
------------
It seams that whenever PDO::MYSQL_ATTR_SSL_CERT is set to something, PHP will try to validate the database certificate, regardless of the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT value.

Test script:
---------------
I've successfully used the following value combination when connecting to MySQL servers that uses a certificate signed by a trusted Certificate Authority (CA).

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=true

Based on PHP documentation (https://www.php.net/manual/en/ref.pdo-mysql.php), I thought I could simply toggle MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false to allow connections to database servers that use self-signed certificate (i.e. for which the CA certificate is absent from /etc/ssl/certs). 

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=false



Expected result:
----------------
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to false would prevent PHP from validating the database certificate regardless of the MYSQL_ATTR_SSL_CAPATH value.


Actual result:
--------------
Doing so constantly leads to the following error: 

PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Surpringly, the following combinations works:

PDO::MYSQL_ATTR_SSL_CAPATH=null
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=[false|true]

In which case I believe the database server switches to unencrypted protocol, if it allows it, which is not what we want.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2023-01-02 09:44 UTC] bayedewfrruff at gmail dot com

Thanks for that. (https://www.subarunet.me/)github.com

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Dec 13 11:00:01 2025 UTC