Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2954 (ok 4.1) MySQL connection with SSL fails

3.5.6
fixed
5
2013-12-17
2009-12-10
Matt Skeoch
No

PHP mysqli/mysql connect fails to shake with SSL enabled/required MySQL server (5.0.51a).

MYSQL_CLIENT_SSL / MYSQLI_CLIENT_SSL parameter is found to not work correctly.

Work around for mysqli_real_connect() is to place the following after/in place of line 93 for './libraries/dbi/mysql.dbi.lib.php':

@mysqli_ssl_set($link, $GLOBALS['cfg']['Server']['sslkey'], $GLOBALS['cfg']['Server']['sslcert'], $GLOBALS['cfg']['Server']['sslca'], $GLOBALS['cfg']['Server']['sslcapath'], $GLOBALS['cfg']['Server']['sslcipher']);

Populate the ./config.inc.php with the listed config options. Config options sslcapath and sslcipher can be set to NULL.

I have not looked at a work around for mysql_connect().

Discussion

1 2 > >> (Page 1 of 2)
  • Marc Delisle
    Marc Delisle
    2009-12-30

    - Which PHP version are you using?

    - Which version of the MySQL client library are you using? (I'm not asking about the version of the MySQL server)

     
  • Marc Delisle
    Marc Delisle
    2009-12-30

    • assigned_to: nobody --> lem9
    • status: open --> pending
     
  • Matt Skeoch
    Matt Skeoch
    2009-12-30

    MySQL(i) client version 5.0.51a
    PHP version 5.2.4-2ubuntu5.9
    Server full version is "Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (x86_64) using readline 5.2"

     
  • Matt Skeoch
    Matt Skeoch
    2009-12-30

    • status: pending --> open
     
  • Marc Delisle
    Marc Delisle
    2009-12-30

    • assigned_to: lem9 --> nobody
     
  • Marc Delisle
    Marc Delisle
    2009-12-31

    Do you know if your server has been compiled with YASSL support or with OpenSSL support?
    Also, please show me the paths you are setting in $GLOBALS['cfg']['Server']['sslkey'],
    $GLOBALS['cfg']['Server']['sslcert'], $GLOBALS['cfg']['Server']['sslca']. As you might guess I'm not familiar with this, I don't even have a server ready to test this.

     
  • Matt Skeoch
    Matt Skeoch
    2009-12-31

    I have full OpenSSL support. Kerberos is in use on the machine as well everything is encrypted in and out. Kerberos is not used to handle the MySQL authentication, however.

    MySQL SSL is X509 complaint meaning we have to have a public/private key to shake on both ends. Both the server and client have to have their own keys to send back and forth singed by the same CA. The CA is used to authorize the connection via SSL before a connection for user/pass is allowed to establish.

    Here are the vars you asked for:

    $cfg['Servers'][$i]['sslkey'] = '/etc/certs/mysql/client.key';
    $cfg['Servers'][$i]['sslcert'] = '/etc/certs/mysql/client.crt';
    $cfg['Servers'][$i]['sslca'] = '/etc/certs/ca/ca.crt';
    $cfg['Servers'][$i]['sslcapath'] = NULL;
    $cfg['Servers'][$i]['sslcipher'] = NULL;

    Apparently we can establish just using the CA (non X509) but I have not tested it. I believe for a self-signed cert we need the CA set as a minimum.

     
  • Isaac Bennetch
    Isaac Bennetch
    2012-09-07

    Would you mind checking out the git branch at https://github.com/ibennetch/phpmyadmin/tree/ssl and testing that (taking note that I renamed some of the variables)? I don't have an ssl-configured server handy.

     
  • Marc Delisle
    Marc Delisle
    2013-01-20

    • milestone: 3.2.4 --> 3.5.6
     
  • Martin Burger
    Martin Burger
    2013-07-19

    At least in 4.0.4.1, this is still present.

     
1 2 > >> (Page 1 of 2)