|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78824 SSL verification fails on Debian Buster
Submitted: 2019-11-16 23:11 UTC Modified: 2020-02-13 17:22 UTC
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: markus dot fasselt at gmail dot com Assigned:
Status: Closed Package: PDO MySQL
PHP Version: 7.3.11 OS: Debian Buster
Private report: No CVE-ID: None
 [2019-11-16 23:11 UTC] markus dot fasselt at gmail dot com
Trying to connect to an AWS RDS MySQL Instance with PDO using an encrypted SSL connection using the combined CA bundle provided here: results in the following error:

Fatal error: Uncaught PDOException: PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /ssl/test.php:4

I tested this with the official PHP Docker images and using a native Debian Buster installation.

I tried to find out when this broke and pinned it to version 7.3.7. In 7.3.6 everything worked fine. 

In the changelog I found this change:
Fixed bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c).

This change was also included in 7.2.20 and I was able to confirm the issue there as well. With 7.2.19 it works fine.

In the Docker images, PHP 7.3.6 and 7.2.19 use OpenSSL version 1.1.0k, 7.3.7 and 7.2.20 use 1.1.1c.
The native Buster installation was using PHP 7.3.11 with OpenSSL 1.1.1d.

Using the Alpine Docker build or an Ubuntu installation works fine. So I guess this is related to the Debian Buster environment.

The test script tries to connect to an RDS instance. However, I think you can use any MySQL instance as the certificate validation fails locally. I do not assume that the CA bundle is invalid, as it works on several other environments.

Test script:
# Dockerfile

FROM php:7.3.7-cli
RUN docker-php-ext-install pdo_mysql

# test.php

$pdo = new PDO('', 'admin', 'egal', [
    PDO::MYSQL_ATTR_SSL_CA => './rds-combined-ca-bundle.pem',


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-21 12:28 UTC] gilperon at gmail dot com
Hey, I think I found an easier way to reproduce this bug you are reporting too!

Check the code below:


$conn = mysqli_connect("localhost","root","password");

$curl = curl_init();

$opts = array();

//If you use below (or any domain that has SSL) the bug will happen and nothing will be echoed below, but if you change that domain to anyone that DOES NOT have SSL, the bug goes away.
$opts[CURLOPT_URL] = "";
//$opts[CURLOPT_URL] = "";


echo curl_exec($curl);


NOTE: this bug does not happen with file_get_contents only with CURL.
 [2020-02-13 17:21 UTC] markus dot fasselt at gmail dot com
-Status: Open +Status: Closed
 [2020-02-13 17:21 UTC] markus dot fasselt at gmail dot com
I just tested it again and it looks like the bug is now solved, even with the same PHP versions. So I guess this was fixed in OpenSSL/Debian or whatever. But I am not able to connect with SSL to an RDS instance. So this can be closed.
 [2020-02-13 17:22 UTC] markus dot fasselt at gmail dot com
 [2020-02-16 01:44 UTC] c dot gregory at marrickdevelopment dot com
This looks to still be an issue in 7.4.2

Docker Image SHA

root@afd56198cd41:/var/www# php -v
PHP 7.4.2 (cli) (built: Feb  1 2020 19:39:30) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Xdebug v2.9.2, Copyright (c) 2002-2020, by Derick Rethans


error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

$dh->ssl_set(null, null, $pathToCA, null, null);
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon May 29 10:03:44 2023 UTC