php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71845 Impossible to use PDO with ssl connections
Submitted: 2016-03-17 15:47 UTC Modified: 2020-11-08 04:22 UTC
Votes:39
Avg. Score:4.6 ± 0.7
Reproduced:34 of 34 (100.0%)
Same Version:12 (35.3%)
Same OS:6 (17.6%)
From: source dot spider at gmail dot com Assigned:
Status: No Feedback Package: PDO MySQL
PHP Version: 7.0.4 OS: centos 7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-03-17 15:47 UTC] source dot spider at gmail dot com
Description:
------------
Services such as Google Cloud SQL have SSL certificates signed as CN=`project:instance-name' (literally). However to connect to them IPs are required. In some cases you may also need to connect to multiple servers, but the certificate remains unchanged (the service in question provide only one set of certificates). As such the verification done by php (or mysqlnd?) is pointless and simply serves to break the application establishing a secure connection[1].

The error will manifest as "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

None of the mechanisms that would disable the verification, such as stream_context_set_default[2], actually affect the connection in any way.

There appears to be a MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT (which was introduced to fix the same mistake on mysqli apparently) however the functionality wasn't ported to any of the other interfaces even though it's clearly just as broken everywhere else.

___________

[1] many applications require the connection to be secure to ensure sensitive information isn't just traveling in plain text over pipes to and from the database

[2] full example of stream_context_set_default

stream_context_set_default([
    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false
    ]
]);

Test script:
---------------
<?php

#
# The following parameters will need to be filled in and the certificate
# must not match the dbhost parameter. Ideally we wouldn't need to modify
# the default context and could customize via $options instead
#

$dbhost = '';
$dbname = '';
$dbuser = '';
$dbpass = '';

stream_context_set_default([
    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false
    ]
]);

$options = [
	\PDO::MYSQL_ATTR_SSL_KEY  => __DIR__.'/client-key.pem',
	\PDO::MYSQL_ATTR_SSL_CERT => __DIR__.'/client-cert.pem',
	\PDO::MYSQL_ATTR_SSL_CA   => __DIR__.'/server-ca.pem'
];



$dsn = 'mysql:host='.$dbhost.';dbname='.$dbname.';charset=utf8';

try {
	$pdo = new \PDO($dsn, $dbuser, $dbpass, $options);
	echo "SUCCESS!\n\n";
}
catch (\Exception $e) {
	echo "FAILED!\n\n";
	throw $e;
}

Expected result:
----------------
The script should print "SUCCESS!"

Actual result:
--------------
The script prints "FAILED!" and throws the error saying "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-18 02:04 UTC] requinix@php.net
See also request #71003 to expose the mysqli flag to PDO.
 [2020-02-10 13:50 UTC] nj dot andreasson at gmail dot com
I was yet again hit with this issue in an AWS environment.
I first commented on this issue almost 4 years ago in bug #71003 but it was sadly closed further down the line (not sure why?).
As explained in bug 71003, I still see that the best solution would be to expose a "verify_peer_name" directive that you could populate with the expected peer name to verify.
Thanks for considering it!
 [2020-10-28 11:39 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2020-10-28 11:39 UTC] nikic@php.net
There is a PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT attribute since PHP 7.0.18, added in https://github.com/php/php-src/commit/247ce052cd0fc7d0d8ea1a0e7ea2075e9601766a. That attribute does address this issue, right?
 [2020-10-29 19:48 UTC] willie dot owens91 at gmail dot com
I am attempting to use PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT with a value of false, yet still face this issue. Using PHP 7.2.14.
 [2020-10-29 19:57 UTC] willie dot owens91 at gmail dot com
[edit] nvm, it seems to work
 [2020-11-08 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Dec 02 09:01:23 2020 UTC