php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80436 MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER_CERT
Submitted: 2020-11-28 11:09 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Patrick dot Messier at canada dot ca Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.4.13 OS: debian buster
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Patrick dot Messier at canada dot ca
New email:
PHP Version: OS:

 

 [2020-11-28 11:09 UTC] Patrick dot Messier at canada dot ca
Description:
------------
It seams that whenever PDO::MYSQL_ATTR_SSL_CERT is set to something, PHP will try to validate the database certificate, regardless of the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT value.

Test script:
---------------
I've successfully used the following value combination when connecting to MySQL servers that uses a certificate signed by a trusted Certificate Authority (CA).

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=true

Based on PHP documentation (https://www.php.net/manual/en/ref.pdo-mysql.php), I thought I could simply toggle MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false to allow connections to database servers that use self-signed certificate (i.e. for which the CA certificate is absent from /etc/ssl/certs). 

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=false



Expected result:
----------------
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to false would prevent PHP from validating the database certificate regardless of the MYSQL_ATTR_SSL_CAPATH value.


Actual result:
--------------
Doing so constantly leads to the following error: 

PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Surpringly, the following combinations works:

PDO::MYSQL_ATTR_SSL_CAPATH=null
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=[false|true]

In which case I believe the database server switches to unencrypted protocol, if it allows it, which is not what we want.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-01-02 09:44 UTC] bayedewfrruff at gmail dot com
Thanks for that. (https://www.subarunet.me/)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 23:01:28 2024 UTC