|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-11-16 23:11 UTC] markus dot fasselt at gmail dot com
Description: ------------ Trying to connect to an AWS RDS MySQL Instance with PDO using an encrypted SSL connection using the combined CA bundle provided here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.IntermediateCertificates results in the following error: Fatal error: Uncaught PDOException: PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /ssl/test.php:4 I tested this with the official PHP Docker images and using a native Debian Buster installation. I tried to find out when this broke and pinned it to version 7.3.7. In 7.3.6 everything worked fine. In the changelog I found this change: Fixed bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c). This change was also included in 7.2.20 and I was able to confirm the issue there as well. With 7.2.19 it works fine. In the Docker images, PHP 7.3.6 and 7.2.19 use OpenSSL version 1.1.0k, 7.3.7 and 7.2.20 use 1.1.1c. The native Buster installation was using PHP 7.3.11 with OpenSSL 1.1.1d. Using the Alpine Docker build or an Ubuntu installation works fine. So I guess this is related to the Debian Buster environment. The test script tries to connect to an RDS instance. However, I think you can use any MySQL instance as the certificate validation fails locally. I do not assume that the CA bundle is invalid, as it works on several other environments. Test script: --------------- # Dockerfile FROM php:7.3.7-cli RUN docker-php-ext-install pdo_mysql # test.php <?php $pdo = new PDO('mysql:host=foobar.abc-central-1.rds.amazonaws.com', 'admin', 'egal', [ PDO::MYSQL_ATTR_SSL_CA => './rds-combined-ca-bundle.pem', PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true, ]); PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 01:01:30 2024 UTC |
Hey, I think I found an easier way to reproduce this bug you are reporting too! Check the code below: <?php $conn = mysqli_connect("localhost","root","password"); $curl = curl_init(); $opts = array(); //If you use https://www.sitepor500.com.br below (or any domain that has SSL) the bug will happen and nothing will be echoed below, but if you change that domain to anyone that DOES NOT have SSL, the bug goes away. $opts[CURLOPT_URL] = "https://www.sitepor500.com.br"; //$opts[CURLOPT_URL] = "http://anydomainwihoutssl.com"; curl_setopt_array($curl,$opts); echo curl_exec($curl); ?> NOTE: this bug does not happen with file_get_contents only with CURL.This looks to still be an issue in 7.4.2 Docker Image SHA sha256:ff6b3af79b5ba47b82e651a18be1f57dc640f96d4751150e725eb37314a94f6b root@afd56198cd41:/var/www# php -v PHP 7.4.2 (cli) (built: Feb 1 2020 19:39:30) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Xdebug v2.9.2, Copyright (c) 2002-2020, by Derick Rethans php:7.4-apache error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed $dh->ssl_set(null, null, $pathToCA, null, null);