php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78824 SSL verification fails on Debian Buster
Submitted: 2019-11-16 23:11 UTC Modified: 2020-02-13 17:22 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: markus dot fasselt at gmail dot com Assigned:
Status: Closed Package: PDO MySQL
PHP Version: 7.3.11 OS: Debian Buster
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: markus dot fasselt at gmail dot com
New email:
PHP Version: OS:

 

 [2019-11-16 23:11 UTC] markus dot fasselt at gmail dot com
Description:
------------
Trying to connect to an AWS RDS MySQL Instance with PDO using an encrypted SSL connection using the combined CA bundle provided here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.IntermediateCertificates results in the following error:

Fatal error: Uncaught PDOException: PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /ssl/test.php:4

I tested this with the official PHP Docker images and using a native Debian Buster installation.

I tried to find out when this broke and pinned it to version 7.3.7. In 7.3.6 everything worked fine. 

In the changelog I found this change:
Fixed bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c).

This change was also included in 7.2.20 and I was able to confirm the issue there as well. With 7.2.19 it works fine.

In the Docker images, PHP 7.3.6 and 7.2.19 use OpenSSL version 1.1.0k, 7.3.7 and 7.2.20 use 1.1.1c.
The native Buster installation was using PHP 7.3.11 with OpenSSL 1.1.1d.

Using the Alpine Docker build or an Ubuntu installation works fine. So I guess this is related to the Debian Buster environment.

The test script tries to connect to an RDS instance. However, I think you can use any MySQL instance as the certificate validation fails locally. I do not assume that the CA bundle is invalid, as it works on several other environments.

Test script:
---------------
# Dockerfile

FROM php:7.3.7-cli
RUN docker-php-ext-install pdo_mysql


# test.php
<?php

$pdo = new PDO('mysql:host=foobar.abc-central-1.rds.amazonaws.com', 'admin', 'egal', [
    PDO::MYSQL_ATTR_SSL_CA => './rds-combined-ca-bundle.pem',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
]);



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-21 12:28 UTC] gilperon at gmail dot com
Hey, I think I found an easier way to reproduce this bug you are reporting too!

Check the code below:

<?php

$conn = mysqli_connect("localhost","root","password");

$curl = curl_init();

$opts = array();

//If you use https://www.sitepor500.com.br below (or any domain that has SSL) the bug will happen and nothing will be echoed below, but if you change that domain to anyone that DOES NOT have SSL, the bug goes away.
$opts[CURLOPT_URL] = "https://www.sitepor500.com.br";
//$opts[CURLOPT_URL] = "http://anydomainwihoutssl.com";

curl_setopt_array($curl,$opts);

echo curl_exec($curl);

?>

NOTE: this bug does not happen with file_get_contents only with CURL.
 [2020-02-13 17:21 UTC] markus dot fasselt at gmail dot com
-Status: Open +Status: Closed
 [2020-02-13 17:21 UTC] markus dot fasselt at gmail dot com
I just tested it again and it looks like the bug is now solved, even with the same PHP versions. So I guess this was fixed in OpenSSL/Debian or whatever. But I am not able to connect with SSL to an RDS instance. So this can be closed.
 [2020-02-13 17:22 UTC] markus dot fasselt at gmail dot com
*now
 [2020-02-16 01:44 UTC] c dot gregory at marrickdevelopment dot com
This looks to still be an issue in 7.4.2

Docker Image SHA
sha256:ff6b3af79b5ba47b82e651a18be1f57dc640f96d4751150e725eb37314a94f6b

root@afd56198cd41:/var/www# php -v
PHP 7.4.2 (cli) (built: Feb  1 2020 19:39:30) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Xdebug v2.9.2, Copyright (c) 2002-2020, by Derick Rethans


php:7.4-apache

error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

$dh->ssl_set(null, null, $pathToCA, null, null);
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 01:01:30 2024 UTC