|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-07-03 23:59 UTC] 2ce27k7518ek at opayq dot com
-Summary: SSL fails w/EC crt: "PDO::__construct(): this stream
does not support SSL/crypt
+Summary: PDO does not support EC crypto
[2018-07-03 23:59 UTC] 2ce27k7518ek at opayq dot com
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 22:01:28 2024 UTC |
Description: ------------ It's not possible to use elliptic curve certs/ciphers for SSL pdo_mysql connection Actual result: -------------- I'm running php 7.2.7 on linux php -v PHP 7.2.7-dev (cli) (built: Jun 23 2018 08:57:14) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.2.7-dev, Copyright (c) 1999-2018, by Zend Technologies pdo exts are built with config --enable-pdo=shared --enable-mysqlnd=shared --enable-mysqlnd-compression-support --with-mysqli=shared,mysqlnd --with-pdo-mysql=shared,mysqlnd --with-mysql-sock=/var/cache/mariadb/mariadb.sock openssl is openssl version OpenSSL 1.1.0h 27 Mar 2018 sql/ssl extensions loaded include php -m |egrep "pdo|ssl|sql" mysqli mysqlnd openssl pdo_mysql pdo_sqlite sqlite3 My DB is mariadb_config --version --tlsinfo --socket 10.3.8 OpenSSL 1.1.0h /var/cache/mariadb/mariadb.sock I use driver == pdo_mysql for connections in a Symfony4+Doctrine app. Without SSL, connections work as expected -- both from within app via pdo, and from shell using native mysql client Adding SSL to the mix, from shell using native mysql client, works mysql \ -h localhost \ -u ${DBUSER} \ --password=${DBPASS} \ --ssl-ca=${SSL_CA_CERT} \ --ssl-cert=${SSL_CERT} \ --ssl-key=${SSL_PRIVKEY} \ --ssl-cipher=${SSL_CIPHERS} \ --ssl-verify-server-cert \ ${DBNAME} MariaDB [testdb]> status; -------------- mysql Ver 15.1 Distrib 10.3.8-MariaDB, for Linux (x86_64) using readline 5.1 Connection id: 16 Current database: testdb Current user: testuser@localhost SSL: Cipher in use is ECDHE-ECDSA-CHACHA20-POLY1305 Current pager: /usr/bin/less Using outfile: '' Using delimiter: ; Server: MariaDB Server version: 10.3.8-MariaDB-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8mb4 Conn. characterset: utf8mb4 UNIX socket: /var/cache/mariadb/mariadb.sock Uptime: 54 min 34 sec Threads: 8 Questions: 27 Slow queries: 0 Opens: 17 Flush tables: 1 Open tables: 11 Queries per second avg: 0.008 -------------- But, using same ENV (certs, privkey, cipherspec), with key config in PHP app, !php/const:PDO::MYSQL_ATTR_SSL_CA: '%env(SSL_CA_CERT)%' !php/const:PDO::MYSQL_ATTR_SSL_CERT: '%env(SSL_CERT)%' !php/const:PDO::MYSQL_ATTR_SSL_KEY: '%env(SSL_PRIVKEY)%' !php/const:PDO::MYSQL_ATTR_SSL_CIPHER: '%env(SSL_CIPHERS)%' on attempt to connect from within app, e.g., on exec of bin/console doctrine:phpcr:init:dbal --force fails, returning In AbstractMySQLDriver.php line 112: An exception occurred in driver: SQLSTATE[HY000] [2002] In PDOConnection.php line 50: SQLSTATE[HY000] [2002] In PDOConnection.php line 46: SQLSTATE[HY000] [2002] In PDOConnection.php line 46: PDO::__construct(): this stream does not support SSL/crypto The notable error being "PDO::__construct(): this stream does not support SSL/crypto" Digging around, this is apparently due to a lack of EC support in pdo_mysql. My certs/keys are EC, and my cipher spec is limited to SSL_CIPHERS='ECDHE-ECDSA-CHACHA20-POLY1305' which is widely/consistently used across all our internal servers & services. Apparently, EC support was added long ago for ext/openssl Request #61204 Add elliptic curve support for OpenSSL https://bugs.php.net/bug.php?id=61204