|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71845 Impossible to use PDO with ssl connections
Submitted: 2016-03-17 15:47 UTC Modified: 2016-05-18 02:04 UTC
Avg. Score:4.6 ± 0.7
Reproduced:33 of 33 (100.0%)
Same Version:12 (36.4%)
Same OS:6 (18.2%)
From: source dot spider at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.0.4 OS: centos 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: source dot spider at gmail dot com
New email:
PHP Version: OS:


 [2016-03-17 15:47 UTC] source dot spider at gmail dot com
Services such as Google Cloud SQL have SSL certificates signed as CN=`project:instance-name' (literally). However to connect to them IPs are required. In some cases you may also need to connect to multiple servers, but the certificate remains unchanged (the service in question provide only one set of certificates). As such the verification done by php (or mysqlnd?) is pointless and simply serves to break the application establishing a secure connection[1].

The error will manifest as "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

None of the mechanisms that would disable the verification, such as stream_context_set_default[2], actually affect the connection in any way.

There appears to be a MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT (which was introduced to fix the same mistake on mysqli apparently) however the functionality wasn't ported to any of the other interfaces even though it's clearly just as broken everywhere else.


[1] many applications require the connection to be secure to ensure sensitive information isn't just traveling in plain text over pipes to and from the database

[2] full example of stream_context_set_default

    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false

Test script:

# The following parameters will need to be filled in and the certificate
# must not match the dbhost parameter. Ideally we wouldn't need to modify
# the default context and could customize via $options instead

$dbhost = '';
$dbname = '';
$dbuser = '';
$dbpass = '';

    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false

$options = [
	\PDO::MYSQL_ATTR_SSL_KEY  => __DIR__.'/client-key.pem',
	\PDO::MYSQL_ATTR_SSL_CERT => __DIR__.'/client-cert.pem',
	\PDO::MYSQL_ATTR_SSL_CA   => __DIR__.'/server-ca.pem'

$dsn = 'mysql:host='.$dbhost.';dbname='.$dbname.';charset=utf8';

try {
	$pdo = new \PDO($dsn, $dbuser, $dbpass, $options);
	echo "SUCCESS!\n\n";
catch (\Exception $e) {
	echo "FAILED!\n\n";
	throw $e;

Expected result:
The script should print "SUCCESS!"

Actual result:
The script prints "FAILED!" and throws the error saying "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-18 02:04 UTC]
See also request #71003 to expose the mysqli flag to PDO.
 [2020-02-10 13:50 UTC] nj dot andreasson at gmail dot com
I was yet again hit with this issue in an AWS environment.
I first commented on this issue almost 4 years ago in bug #71003 but it was sadly closed further down the line (not sure why?).
As explained in bug 71003, I still see that the best solution would be to expose a "verify_peer_name" directive that you could populate with the expected peer name to verify.
Thanks for considering it!
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 22 11:01:25 2020 UTC