php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80436 MYSQL_ATTR_SSL_CAPATH Prevails on MYSQL_ATTR_SSL_VERIFY_SERVER_CERT
Submitted: 2020-11-28 11:09 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Patrick dot Messier at canada dot ca Assigned:
Status: Open Package: PDO MySQL
PHP Version: 7.4.13 OS: debian buster
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
43 + 33 = ?
Subscribe to this entry?

 
 [2020-11-28 11:09 UTC] Patrick dot Messier at canada dot ca
Description:
------------
It seams that whenever PDO::MYSQL_ATTR_SSL_CERT is set to something, PHP will try to validate the database certificate, regardless of the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT value.

Test script:
---------------
I've successfully used the following value combination when connecting to MySQL servers that uses a certificate signed by a trusted Certificate Authority (CA).

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=true

Based on PHP documentation (https://www.php.net/manual/en/ref.pdo-mysql.php), I thought I could simply toggle MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to false to allow connections to database servers that use self-signed certificate (i.e. for which the CA certificate is absent from /etc/ssl/certs). 

PDO::MYSQL_ATTR_SSL_CAPATH=/etc/ssl/certs
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=false



Expected result:
----------------
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to false would prevent PHP from validating the database certificate regardless of the MYSQL_ATTR_SSL_CAPATH value.


Actual result:
--------------
Doing so constantly leads to the following error: 

PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Surpringly, the following combinations works:

PDO::MYSQL_ATTR_SSL_CAPATH=null
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT=[false|true]

In which case I believe the database server switches to unencrypted protocol, if it allows it, which is not what we want.

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Nov 27 06:03:14 2021 UTC