php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55283 SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections
Submitted: 2011-07-26 00:20 UTC Modified: 2017-10-24 06:13 UTC
Votes:12
Avg. Score:4.3 ± 0.8
Reproduced:7 of 8 (87.5%)
Same Version:2 (28.6%)
Same OS:4 (57.1%)
From: aleksey at wepay dot com Assigned:
Status: Open Package: MySQLi related
PHP Version: 5.3.6 OS: Cent OS
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aleksey at wepay dot com
New email:
PHP Version: OS:

 

 [2011-07-26 00:20 UTC] aleksey at wepay dot com 
Description:
------------
The MySQLi ignores SSL options set with mysqli_ssl_set() for persistent connections (works fine for non-persistent connections).

To reproduce:
1) Configure MySQL server with SSL support (http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html)
2) Run the attached test script



Test script:
---------------
<?
$host  = 'localhost';
$user  = 'root';
$pass  = '';
$db    = null;
$port  = 3306;
$flags = MYSQLI_CLIENT_SSL;

/* persistent connection */
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
if (mysqli_real_connect($link, 'p:' . $host, $user, $pass, $db, $port, null, $flags)) {
	$r = $link->query("SHOW STATUS LIKE 'Ssl_cipher'");
    var_dump($r->fetch_row());
}

/* non-persistent connection */
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
if (mysqli_real_connect($link, $host, $user, $pass, $db, $port, null, $flags)) {
	$r = $link->query("SHOW STATUS LIKE 'Ssl_cipher'");
    var_dump($r->fetch_row());
}


Expected result:
----------------
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "RC4-MD5"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}


Actual result:
--------------
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "DHE-RSA-AES256-SHA"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-26 00:25 UTC] aleksey at wepay dot com 
Please note that while the example shows the problem with the cipher, all other parameters are also ignored. In particular, ssl cert info is critical.
 [2011-07-26 15:40 UTC] philip@php.net
-Assigned To: +Assigned To: mysql
 [2011-08-05 11:53 UTC] uw@php.net
-Status: Assigned +Status: Verified
 [2011-08-05 11:53 UTC] uw@php.net 
Reproducible with PHP 5.3.7RC4-dev (cli) (built: Jul 26 2011 17:35:20) (DEBUG) using *libmysql* to connect to 5.1.45-debug-log 

Configure Command =>  './configure'  '--with-mysql=mysqlnd' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql/bin/mysql_config' '--enable-debug' '--enable-maintainer-zts' '--enable-mysqlnd-ms' '--enable-mysqlenterprise' '--enable-mysqlnd-uh' '--enable-pcntl'

nixnutz@linux-fuxh:~/php/php-src/branches/PHP_5_3> sapi/cli/php bar.php
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "DHE-RSA-AES256-SHA"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}
 [2011-08-05 13:17 UTC] uw@php.net 
The actual issue here is in mysqlnd (or in the mysqli user API, however you put it :-)): if using mysqli_init() to create a connection object we don't yet know if it needs to be persistent or not. mysqli was changed to meet the needs of mysqlnd. Unfortunately, this has an unforeseen side-effect on mysqli @ libmysql [@ SSL]. Changing mysqli to make libmysql happy will cause leaks with mysqlnd. 

This needs some think time.
 [2011-08-05 13:39 UTC] andrey@php.net 
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=314330
Log: Fix for bug #55283 SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections
 [2011-08-18 01:34 UTC] spam2 at rhsoft dot net 
well i guess this change results in connections hanging around and 
after a hughe timeout filling my mailbox with cron-mails since 
upgraded to 5.3.7 using MYSQLND so "Changing mysqli to make libmysql happy will cause leaks with mysqlnd" seems to be true -> but why done this change if knowing it?

mysqlnd 5.0.8-dev - 20102224 - $Revision: 310735 $
without ssl_set() all works fine but unencyrpted 

how can i revert this change for the 5.3.7-final.tar.bz2?
___________

MySQL server has gone away

 $this->ssl_key = '/etc/mysql-ssl/client.pem';
 $this->ssl_crt = '/etc/mysql-ssl/client.pem';
 $this->ssl_ca  = '/etc/mysql-ssl/ca.crt';

$>conn->ssl_set($this->ssl_key, $this->ssl_crt, $this->ssl_ca, NULL, NULL);
 [2011-08-18 06:08 UTC] andrey@php.net 
I don't get your comment :(
 [2011-08-18 07:17 UTC] spam2 at rhsoft dot net 
what try you to tell me with "I don't get your comment :("
remember that not everfybody has english as nmative language

i need a way to revert this change to get PHP 5.3.7 
working with mysqlnd/ssl the same way as it did the 
whole last year
 [2011-08-18 07:51 UTC] andrey@php.net 
English is neither my mother tongue.
 [2011-08-18 07:55 UTC] pajoye@php.net 
You can try in German then as you both speak German as well.

However it looks to me that the code speaks for itself. The connection fails after 
the timeout. This comment is based on this discussion on internals, 
http://news.php.net/php.internals/54667 .
 [2011-08-22 21:31 UTC] johannes@php.net 
Automatic comment from SVN on behalf of johannes
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=315310
Log: - Revert r313616 (When we have a blocking SSL socket, respect the timeout
  option, scottmac)

# This caused bug #55283, we should investigate a proper solution without
# breaking anything.
 [2011-09-02 11:22 UTC] uw@php.net 
PHP 5.4 beta is scheduled for next week. Is anybody working on fixing the underlying PHP Streams issue not only with 5.3 but also 5.4?
 [2011-09-02 12:19 UTC] johannes@php.net
-Status: Verified +Status: Assigned -Assigned To: mysql +Assigned To: scottmac
 [2011-09-02 12:19 UTC] johannes@php.net 
Scott, can you check how we can fix both things - SSL timeout while having mysqlnd SSL working? We're happy to help on the MySQL side ... Thanks!
 [2011-09-02 12:48 UTC] spam2 at rhsoft dot net 
would it not be the better solution to think about dropping the libmysql-support and use only mysqlnd - we are runnning some hundret domains and using mysqlnd since the first 5.3 release

you will always have the problem of regressions and the result of auto-tests are depending how php was compiled
 [2011-10-05 05:20 UTC] pajoye@php.net 
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317753
Log: - Revert r313616 (When we have a blocking SSL socket, respect the timeout
  option, scottmac)

# This caused bug #55283 and #55848, we should investigate a proper solution without
# breaking anything.
 [2015-07-10 11:33 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 [2015-07-10 13:21 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 [2017-10-24 06:13 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: scottmac +Assigned To:
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC