php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71845 Impossible to use PDO with ssl connections
Submitted: 2016-03-17 15:47 UTC Modified: 2016-05-18 02:04 UTC
Votes:37
Avg. Score:4.6 ± 0.7
Reproduced:32 of 32 (100.0%)
Same Version:12 (37.5%)
Same OS:6 (18.8%)
From: source dot spider at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.0.4 OS: centos 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: source dot spider at gmail dot com
New email:
PHP Version: OS:

 

 [2016-03-17 15:47 UTC] source dot spider at gmail dot com
Description:
------------
Services such as Google Cloud SQL have SSL certificates signed as CN=`project:instance-name' (literally). However to connect to them IPs are required. In some cases you may also need to connect to multiple servers, but the certificate remains unchanged (the service in question provide only one set of certificates). As such the verification done by php (or mysqlnd?) is pointless and simply serves to break the application establishing a secure connection[1].

The error will manifest as "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

None of the mechanisms that would disable the verification, such as stream_context_set_default[2], actually affect the connection in any way.

There appears to be a MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT (which was introduced to fix the same mistake on mysqli apparently) however the functionality wasn't ported to any of the other interfaces even though it's clearly just as broken everywhere else.

___________

[1] many applications require the connection to be secure to ensure sensitive information isn't just traveling in plain text over pipes to and from the database

[2] full example of stream_context_set_default

stream_context_set_default([
    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false
    ]
]);

Test script:
---------------
<?php

#
# The following parameters will need to be filled in and the certificate
# must not match the dbhost parameter. Ideally we wouldn't need to modify
# the default context and could customize via $options instead
#

$dbhost = '';
$dbname = '';
$dbuser = '';
$dbpass = '';

stream_context_set_default([
    'ssl' => [
	'verify_peer_name' => false,
        'verify_peer' => false
    ]
]);

$options = [
	\PDO::MYSQL_ATTR_SSL_KEY  => __DIR__.'/client-key.pem',
	\PDO::MYSQL_ATTR_SSL_CERT => __DIR__.'/client-cert.pem',
	\PDO::MYSQL_ATTR_SSL_CA   => __DIR__.'/server-ca.pem'
];



$dsn = 'mysql:host='.$dbhost.';dbname='.$dbname.';charset=utf8';

try {
	$pdo = new \PDO($dsn, $dbuser, $dbpass, $options);
	echo "SUCCESS!\n\n";
}
catch (\Exception $e) {
	echo "FAILED!\n\n";
	throw $e;
}

Expected result:
----------------
The script should print "SUCCESS!"

Actual result:
--------------
The script prints "FAILED!" and throws the error saying "PDO::__construct(): Peer certificate CN=`project:instance-name' did not match expected CN=`123.456.78.9' in /path/to/script.php"

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-18 02:04 UTC] requinix@php.net
See also request #71003 to expose the mysqli flag to PDO.
 [2020-02-10 13:50 UTC] nj dot andreasson at gmail dot com
I was yet again hit with this issue in an AWS environment.
I first commented on this issue almost 4 years ago in bug #71003 but it was sadly closed further down the line (not sure why?).
As explained in bug 71003, I still see that the best solution would be to expose a "verify_peer_name" directive that you could populate with the expected peer name to verify.
Thanks for considering it!
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Feb 24 06:01:26 2020 UTC