|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2016-05-18 02:04 UTC] requinix@php.net
[2020-02-10 13:50 UTC] nj dot andreasson at gmail dot com
[2020-10-28 11:39 UTC] nikic@php.net
-Status: Open
+Status: Feedback
[2020-10-28 11:39 UTC] nikic@php.net
[2020-10-29 19:48 UTC] willie dot owens91 at gmail dot com
[2020-10-29 19:57 UTC] willie dot owens91 at gmail dot com
[2020-11-08 04:22 UTC] php-bugs at lists dot php dot net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Nov 05 13:00:01 2025 UTC |
Description: ------------ Services such as Google Cloud SQL have SSL certificates signed as CN=`project:instance-name' (literally). However to connect to them IPs are required. In some cases you may also need to connect to multiple servers, but the certificate remains unchanged (the service in question provide only one set of certificates). As such the verification done by php (or mysqlnd?) is pointless and simply serves to break the application establishing a secure connection[1]. The error will manifest as "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php" None of the mechanisms that would disable the verification, such as stream_context_set_default[2], actually affect the connection in any way. There appears to be a MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT (which was introduced to fix the same mistake on mysqli apparently) however the functionality wasn't ported to any of the other interfaces even though it's clearly just as broken everywhere else. ___________ [1] many applications require the connection to be secure to ensure sensitive information isn't just traveling in plain text over pipes to and from the database [2] full example of stream_context_set_default stream_context_set_default([ 'ssl' => [ 'verify_peer_name' => false, 'verify_peer' => false ] ]); Test script: --------------- <?php # # The following parameters will need to be filled in and the certificate # must not match the dbhost parameter. Ideally we wouldn't need to modify # the default context and could customize via $options instead # $dbhost = ''; $dbname = ''; $dbuser = ''; $dbpass = ''; stream_context_set_default([ 'ssl' => [ 'verify_peer_name' => false, 'verify_peer' => false ] ]); $options = [ \PDO::MYSQL_ATTR_SSL_KEY => __DIR__.'/client-key.pem', \PDO::MYSQL_ATTR_SSL_CERT => __DIR__.'/client-cert.pem', \PDO::MYSQL_ATTR_SSL_CA => __DIR__.'/server-ca.pem' ]; $dsn = 'mysql:host='.$dbhost.';dbname='.$dbname.';charset=utf8'; try { $pdo = new \PDO($dsn, $dbuser, $dbpass, $options); echo "SUCCESS!\n\n"; } catch (\Exception $e) { echo "FAILED!\n\n"; throw $e; } Expected result: ---------------- The script should print "SUCCESS!" Actual result: -------------- The script prints "FAILED!" and throws the error saying "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"