php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78824 SSL verification fails on Debian Buster
Submitted: 2019-11-16 23:11 UTC Modified: -
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: markus dot fasselt at gmail dot com Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.3.11 OS: Debian Buster
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-11-16 23:11 UTC] markus dot fasselt at gmail dot com
Description:
------------
Trying to connect to an AWS RDS MySQL Instance with PDO using an encrypted SSL connection using the combined CA bundle provided here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.IntermediateCertificates results in the following error:

Fatal error: Uncaught PDOException: PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /ssl/test.php:4

I tested this with the official PHP Docker images and using a native Debian Buster installation.

I tried to find out when this broke and pinned it to version 7.3.7. In 7.3.6 everything worked fine. 

In the changelog I found this change:
Fixed bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c).

This change was also included in 7.2.20 and I was able to confirm the issue there as well. With 7.2.19 it works fine.

In the Docker images, PHP 7.3.6 and 7.2.19 use OpenSSL version 1.1.0k, 7.3.7 and 7.2.20 use 1.1.1c.
The native Buster installation was using PHP 7.3.11 with OpenSSL 1.1.1d.

Using the Alpine Docker build or an Ubuntu installation works fine. So I guess this is related to the Debian Buster environment.

The test script tries to connect to an RDS instance. However, I think you can use any MySQL instance as the certificate validation fails locally. I do not assume that the CA bundle is invalid, as it works on several other environments.

Test script:
---------------
# Dockerfile

FROM php:7.3.7-cli
RUN docker-php-ext-install pdo_mysql


# test.php
<?php

$pdo = new PDO('mysql:host=foobar.abc-central-1.rds.amazonaws.com', 'admin', 'egal', [
    PDO::MYSQL_ATTR_SSL_CA => './rds-combined-ca-bundle.pem',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
]);



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-21 12:28 UTC] gilperon at gmail dot com
Hey, I think I found an easier way to reproduce this bug you are reporting too!

Check the code below:

<?php

$conn = mysqli_connect("localhost","root","password");

$curl = curl_init();

$opts = array();

//If you use https://www.sitepor500.com.br below (or any domain that has SSL) the bug will happen and nothing will be echoed below, but if you change that domain to anyone that DOES NOT have SSL, the bug goes away.
$opts[CURLOPT_URL] = "https://www.sitepor500.com.br";
//$opts[CURLOPT_URL] = "http://anydomainwihoutssl.com";

curl_setopt_array($curl,$opts);

echo curl_exec($curl);

?>

NOTE: this bug does not happen with file_get_contents only with CURL.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jan 26 15:01:25 2020 UTC