php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71845 Impossible to use PDO with ssl connections
Submitted: 2016-03-17 15:47 UTC Modified: 2016-05-18 02:04 UTC
Votes:30
Avg. Score:4.7 ± 0.6
Reproduced:26 of 26 (100.0%)
Same Version:10 (38.5%)
Same OS:6 (23.1%)
From: source dot spider at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.0.4 OS: centos 7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-03-17 15:47 UTC] source dot spider at gmail dot com
Description:
------------
Services such as Google Cloud SQL have SSL certificates signed as CN=`project:instance-name' (literally). However to connect to them IPs are required. In some cases you may also need to connect to multiple servers, but the certificate remains unchanged (the service in question provide only one set of certificates). As such the verification done by php (or mysqlnd?) is pointless and simply serves to break the application establishing a secure connection[1].

The error will manifest as "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

None of the mechanisms that would disable the verification, such as stream_context_set_default[2], actually affect the connection in any way.

There appears to be a MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT (which was introduced to fix the same mistake on mysqli apparently) however the functionality wasn't ported to any of the other interfaces even though it's clearly just as broken everywhere else.

___________

[1] many applications require the connection to be secure to ensure sensitive information isn't just traveling in plain text over pipes to and from the database

[2] full example of stream_context_set_default

stream_context_set_default([
    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false
    ]
]);

Test script:
---------------
<?php

#
# The following parameters will need to be filled in and the certificate
# must not match the dbhost parameter. Ideally we wouldn't need to modify
# the default context and could customize via $options instead
#

$dbhost = '';
$dbname = '';
$dbuser = '';
$dbpass = '';

stream_context_set_default([
    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false
    ]
]);

$options = [
	\PDO::MYSQL_ATTR_SSL_KEY  => __DIR__.'/client-key.pem',
	\PDO::MYSQL_ATTR_SSL_CERT => __DIR__.'/client-cert.pem',
	\PDO::MYSQL_ATTR_SSL_CA   => __DIR__.'/server-ca.pem'
];



$dsn = 'mysql:host='.$dbhost.';dbname='.$dbname.';charset=utf8';

try {
	$pdo = new \PDO($dsn, $dbuser, $dbpass, $options);
	echo "SUCCESS!\n\n";
}
catch (\Exception $e) {
	echo "FAILED!\n\n";
	throw $e;
}

Expected result:
----------------
The script should print "SUCCESS!"

Actual result:
--------------
The script prints "FAILED!" and throws the error saying "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-18 02:04 UTC] requinix@php.net
See also request #71003 to expose the mysqli flag to PDO.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Dec 14 12:01:26 2018 UTC