php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76575 PDO does not support EC crypto
Submitted: 2018-07-03 23:53 UTC Modified: 2018-07-03 23:59 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: 2ce27k7518ek at opayq dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.2.7 OS: any
Private report: No CVE-ID: None
 [2018-07-03 23:53 UTC] 2ce27k7518ek at opayq dot com
Description:
------------
It's not possible to use elliptic curve certs/ciphers for SSL pdo_mysql connection

Actual result:
--------------
I'm running php 7.2.7 on linux

	php -v
		PHP 7.2.7-dev (cli) (built: Jun 23 2018 08:57:14) ( NTS )
		Copyright (c) 1997-2018 The PHP Group
		Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
		    with Zend OPcache v7.2.7-dev, Copyright (c) 1999-2018, by Zend Technologies

pdo exts are built with config

	--enable-pdo=shared
	--enable-mysqlnd=shared
	--enable-mysqlnd-compression-support
	--with-mysqli=shared,mysqlnd
	--with-pdo-mysql=shared,mysqlnd
	--with-mysql-sock=/var/cache/mariadb/mariadb.sock

openssl is

	openssl version
		OpenSSL 1.1.0h  27 Mar 2018

sql/ssl extensions loaded include

	php -m |egrep "pdo|ssl|sql"
		mysqli
		mysqlnd
		openssl
		pdo_mysql
		pdo_sqlite
		sqlite3

My DB is

	mariadb_config --version --tlsinfo --socket
		10.3.8
		OpenSSL 1.1.0h
		/var/cache/mariadb/mariadb.sock


I use driver == pdo_mysql for connections in a Symfony4+Doctrine app.

Without SSL, connections work as expected -- both from within app via pdo, and from shell using native mysql client

Adding SSL to the mix, from shell using native mysql client, works


	mysql \
	 -h localhost \
	 -u ${DBUSER} \
	 --password=${DBPASS} \
	 --ssl-ca=${SSL_CA_CERT} \
	 --ssl-cert=${SSL_CERT} \
	 --ssl-key=${SSL_PRIVKEY} \
	 --ssl-cipher=${SSL_CIPHERS} \
	 --ssl-verify-server-cert \
	${DBNAME}

	MariaDB [testdb]> status;
		--------------
		mysql  Ver 15.1 Distrib 10.3.8-MariaDB, for Linux (x86_64) using readline 5.1

		Connection id:          16
		Current database:       testdb
		Current user:           testuser@localhost
		SSL:                    Cipher in use is ECDHE-ECDSA-CHACHA20-POLY1305
		Current pager:          /usr/bin/less
		Using outfile:          ''
		Using delimiter:        ;
		Server:                 MariaDB
		Server version:         10.3.8-MariaDB-log Source distribution
		Protocol version:       10
		Connection:             Localhost via UNIX socket
		Server characterset:    utf8mb4
		Db     characterset:    utf8mb4
		Client characterset:    utf8mb4
		Conn.  characterset:    utf8mb4
		UNIX socket:            /var/cache/mariadb/mariadb.sock
		Uptime:                 54 min 34 sec

		Threads: 8  Questions: 27  Slow queries: 0  Opens: 17  Flush tables: 1  Open tables: 11  Queries per second avg: 0.008
		--------------


But, using same ENV (certs, privkey, cipherspec), with key config in PHP app,

    !php/const:PDO::MYSQL_ATTR_SSL_CA:     '%env(SSL_CA_CERT)%'
    !php/const:PDO::MYSQL_ATTR_SSL_CERT:   '%env(SSL_CERT)%'
    !php/const:PDO::MYSQL_ATTR_SSL_KEY:    '%env(SSL_PRIVKEY)%'
    !php/const:PDO::MYSQL_ATTR_SSL_CIPHER: '%env(SSL_CIPHERS)%'

on attempt to connect from within app, e.g., on exec of

	bin/console doctrine:phpcr:init:dbal --force

fails, returning

	In AbstractMySQLDriver.php line 112:
	  An exception occurred in driver: SQLSTATE[HY000] [2002]  

	In PDOConnection.php line 50:
	  SQLSTATE[HY000] [2002]

	In PDOConnection.php line 46:
	  SQLSTATE[HY000] [2002]

	In PDOConnection.php line 46:
	  PDO::__construct(): this stream does not support SSL/crypto


The notable error being

	"PDO::__construct(): this stream does not support SSL/crypto"

Digging around, this is apparently due to a lack of EC support in pdo_mysql.

My certs/keys are EC, and my cipher spec is limited to

	SSL_CIPHERS='ECDHE-ECDSA-CHACHA20-POLY1305'

which is widely/consistently used across all our internal servers & services.

Apparently, EC support was added long ago for ext/openssl

	Request #61204 	Add elliptic curve support for OpenSSL
	  https://bugs.php.net/bug.php?id=61204



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-03 23:59 UTC] 2ce27k7518ek at opayq dot com
-Summary: SSL fails w/EC crt: "PDO::__construct(): this stream does not support SSL/crypt +Summary: PDO does not support EC crypto
 [2018-07-03 23:59 UTC] 2ce27k7518ek at opayq dot com
fix title
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC