php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80436 MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER_CERT
Submitted: 2020-11-28 11:09 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Patrick dot Messier at canada dot ca Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.4.13 OS: debian buster
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Patrick dot Messier at canada dot ca
New email:
PHP Version: OS:

 

 [2020-11-28 11:09 UTC] Patrick dot Messier at canada dot ca
Description:
------------
It seams that whenever PDO::MYSQL_ATTR_SSL_CERT is set to something, PHP will try to validate the database certificate, regardless of the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT value.

Test script:
---------------
I've successfully used the following value combination when connecting to MySQL servers that uses a certificate signed by a trusted Certificate Authority (CA).

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=true

Based on PHP documentation (https://www.php.net/manual/en/ref.pdo-mysql.php), I thought I could simply toggle MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false to allow connections to database servers that use self-signed certificate (i.e. for which the CA certificate is absent from /etc/ssl/certs). 

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=false



Expected result:
----------------
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to false would prevent PHP from validating the database certificate regardless of the MYSQL_ATTR_SSL_CAPATH value.


Actual result:
--------------
Doing so constantly leads to the following error: 

PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Surpringly, the following combinations works:

PDO::MYSQL_ATTR_SSL_CAPATH=null
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=[false|true]

In which case I believe the database server switches to unencrypted protocol, if it allows it, which is not what we want.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-01-02 09:44 UTC] bayedewfrruff at gmail dot com
Thanks for that. (https://www.subarunet.me/)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 15:01:28 2024 UTC