php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55283 SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections
Submitted: 2011-07-26 00:20 UTC Modified: 2011-09-02 12:19 UTC
Votes:6
Avg. Score:4.2 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: aleksey at wepay dot com Assigned: scottmac
Status: Assigned Package: MySQLi related
PHP Version: 5.3.6 OS: Cent OS
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-07-26 00:20 UTC] aleksey at wepay dot com
Description:
------------
The MySQLi ignores SSL options set with mysqli_ssl_set() for persistent connections (works fine for non-persistent connections).

To reproduce:
1) Configure MySQL server with SSL support (http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html)
2) Run the attached test script



Test script:
---------------
<?
$host  = 'localhost';
$user  = 'root';
$pass  = '';
$db    = null;
$port  = 3306;
$flags = MYSQLI_CLIENT_SSL;

/* persistent connection */
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
if (mysqli_real_connect($link, 'p:' . $host, $user, $pass, $db, $port, null, $flags)) {
	$r = $link->query("SHOW STATUS LIKE 'Ssl_cipher'");
    var_dump($r->fetch_row());
}

/* non-persistent connection */
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
if (mysqli_real_connect($link, $host, $user, $pass, $db, $port, null, $flags)) {
	$r = $link->query("SHOW STATUS LIKE 'Ssl_cipher'");
    var_dump($r->fetch_row());
}


Expected result:
----------------
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "RC4-MD5"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}


Actual result:
--------------
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "DHE-RSA-AES256-SHA"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-26 00:25 UTC] aleksey at wepay dot com
Please note that while the example shows the problem with the cipher, all other parameters are also ignored. In particular, ssl cert info is critical.
 [2011-07-26 15:40 UTC] philip@php.net
-Assigned To: +Assigned To: mysql
 [2011-08-05 11:53 UTC] uw@php.net
-Status: Assigned +Status: Verified
 [2011-08-05 11:53 UTC] uw@php.net
Reproducible with PHP 5.3.7RC4-dev (cli) (built: Jul 26 2011 17:35:20) (DEBUG) using *libmysql* to connect to 5.1.45-debug-log 

Configure Command =>  './configure'  '--with-mysql=mysqlnd' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql/bin/mysql_config' '--enable-debug' '--enable-maintainer-zts' '--enable-mysqlnd-ms' '--enable-mysqlenterprise' '--enable-mysqlnd-uh' '--enable-pcntl'

nixnutz@linux-fuxh:~/php/php-src/branches/PHP_5_3> sapi/cli/php bar.php
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "DHE-RSA-AES256-SHA"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}
 [2011-08-05 13:17 UTC] uw@php.net
The actual issue here is in mysqlnd (or in the mysqli user API, however you put it :-)): if using mysqli_init() to create a connection object we don't yet know if it needs to be persistent or not. mysqli was changed to meet the needs of mysqlnd. Unfortunately, this has an unforeseen side-effect on mysqli @ libmysql [@ SSL]. Changing mysqli to make libmysql happy will cause leaks with mysqlnd. 

This needs some think time.
 [2011-08-05 13:39 UTC] andrey@php.net
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=314330
Log: Fix for bug #55283 SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections
 [2011-08-18 01:34 UTC] spam2 at rhsoft dot net
well i guess this change results in connections hanging around and 
after a hughe timeout filling my mailbox with cron-mails since 
upgraded to 5.3.7 using MYSQLND so "Changing mysqli to make libmysql happy will cause leaks with mysqlnd" seems to be true -> but why done this change if knowing it?

mysqlnd 5.0.8-dev - 20102224 - $Revision: 310735 $
without ssl_set() all works fine but unencyrpted 

how can i revert this change for the 5.3.7-final.tar.bz2?
___________

MySQL server has gone away

 $this->ssl_key = '/etc/mysql-ssl/client.pem';
 $this->ssl_crt = '/etc/mysql-ssl/client.pem';
 $this->ssl_ca  = '/etc/mysql-ssl/ca.crt';

$>conn->ssl_set($this->ssl_key, $this->ssl_crt, $this->ssl_ca, NULL, NULL);
 [2011-08-18 06:08 UTC] andrey@php.net
I don't get your comment :(
 [2011-08-18 07:17 UTC] spam2 at rhsoft dot net
what try you to tell me with "I don't get your comment :("
remember that not everfybody has english as nmative language

i need a way to revert this change to get PHP 5.3.7 
working with mysqlnd/ssl the same way as it did the 
whole last year
 [2011-08-18 07:51 UTC] andrey@php.net
English is neither my mother tongue.
 [2011-08-18 07:55 UTC] pajoye@php.net
You can try in German then as you both speak German as well.

However it looks to me that the code speaks for itself. The connection fails after 
the timeout. This comment is based on this discussion on internals, 
http://news.php.net/php.internals/54667 .
 [2011-08-22 21:31 UTC] johannes@php.net
Automatic comment from SVN on behalf of johannes
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=315310
Log: - Revert r313616 (When we have a blocking SSL socket, respect the timeout
  option, scottmac)

# This caused bug #55283, we should investigate a proper solution without
# breaking anything.
 [2011-09-02 11:22 UTC] uw@php.net
PHP 5.4 beta is scheduled for next week. Is anybody working on fixing the underlying PHP Streams issue not only with 5.3 but also 5.4?
 [2011-09-02 12:19 UTC] johannes@php.net
-Status: Verified +Status: Assigned -Assigned To: mysql +Assigned To: scottmac
 [2011-09-02 12:19 UTC] johannes@php.net
Scott, can you check how we can fix both things - SSL timeout while having mysqlnd SSL working? We're happy to help on the MySQL side ... Thanks!
 [2011-09-02 12:48 UTC] spam2 at rhsoft dot net
would it not be the better solution to think about dropping the libmysql-support and use only mysqlnd - we are runnning some hundret domains and using mysqlnd since the first 5.3 release

you will always have the problem of regressions and the result of auto-tests are depending how php was compiled
 [2011-10-05 05:20 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317753
Log: - Revert r313616 (When we have a blocking SSL socket, respect the timeout
  option, scottmac)

# This caused bug #55283 and #55848, we should investigate a proper solution without
# breaking anything.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC