PHP :: Doc Bug #80436 :: MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER

MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER_CERT

Submitted:

2020-11-28 11:09 UTC

Modified:

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

Patrick dot Messier at canada dot ca

Assigned:

Status:

Open

Package:

PDO MySQL

PHP Version:

7.4.13

OS:

debian buster

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	Patrick dot Messier at canada dot ca
New email:
PHP Version:		OS:

New Comment:

[2020-11-28 11:09 UTC] Patrick dot Messier at canada dot ca

Description:
------------
It seams that whenever PDO::MYSQL_ATTR_SSL_CERT is set to something, PHP will try to validate the database certificate, regardless of the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT value.

Test script:
---------------
I've successfully used the following value combination when connecting to MySQL servers that uses a certificate signed by a trusted Certificate Authority (CA).

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=true

Based on PHP documentation (https://www.php.net/manual/en/ref.pdo-mysql.php), I thought I could simply toggle MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false to allow connections to database servers that use self-signed certificate (i.e. for which the CA certificate is absent from /etc/ssl/certs). 

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=false



Expected result:
----------------
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to false would prevent PHP from validating the database certificate regardless of the MYSQL_ATTR_SSL_CAPATH value.


Actual result:
--------------
Doing so constantly leads to the following error: 

PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Surpringly, the following combinations works:

PDO::MYSQL_ATTR_SSL_CAPATH=null
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=[false|true]

In which case I believe the database server switches to unencrypted protocol, if it allows it, which is not what we want.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2023-01-02 09:44 UTC] bayedewfrruff at gmail dot com

Thanks for that. (https://www.subarunet.me/)github.com

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 16:01:29 2024 UTC