#2954 (ok 4.1) MySQL connection with SSL fails

[Matt Skeoch]

PHP mysqli/mysql connect fails to shake with SSL enabled/required MySQL server (5.0.51a).

MYSQL_CLIENT_SSL / MYSQLI_CLIENT_SSL parameter is found to not work correctly.

Work around for mysqli_real_connect() is to place the following after/in place of line 93 for './libraries/dbi/mysql.dbi.lib.php':

@mysqli_ssl_set($link, $GLOBALS['cfg']['Server']['sslkey'], $GLOBALS['cfg']['Server']['sslcert'], $GLOBALS['cfg']['Server']['sslca'], $GLOBALS['cfg']['Server']['sslcapath'], $GLOBALS['cfg']['Server']['sslcipher']);

Populate the ./config.inc.php with the listed config options. Config options sslcapath and sslcipher can be set to NULL.

I have not looked at a work around for mysql_connect().

[Marc Delisle]

- Which PHP version are you using?

- Which version of the MySQL client library are you using? (I'm not asking about the version of the MySQL server)

[Matt Skeoch]

MySQL(i) client version 5.0.51a
PHP version 5.2.4-2ubuntu5.9
Server full version is "Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (x86_64) using readline 5.2"

[Marc Delisle]

Do you know if your server has been compiled with YASSL support or with OpenSSL support?
Also, please show me the paths you are setting in $GLOBALS['cfg']['Server']['sslkey'],
$GLOBALS['cfg']['Server']['sslcert'], $GLOBALS['cfg']['Server']['sslca']. As you might guess I'm not familiar with this, I don't even have a server ready to test this.

[Matt Skeoch]

I have full OpenSSL support. Kerberos is in use on the machine as well everything is encrypted in and out. Kerberos is not used to handle the MySQL authentication, however.

MySQL SSL is X509 complaint meaning we have to have a public/private key to shake on both ends. Both the server and client have to have their own keys to send back and forth singed by the same CA. The CA is used to authorize the connection via SSL before a connection for user/pass is allowed to establish.

Here are the vars you asked for:

$cfg['Servers'][$i]['sslkey'] = '/etc/certs/mysql/client.key';
$cfg['Servers'][$i]['sslcert'] = '/etc/certs/mysql/client.crt';
$cfg['Servers'][$i]['sslca'] = '/etc/certs/ca/ca.crt';
$cfg['Servers'][$i]['sslcapath'] = NULL;
$cfg['Servers'][$i]['sslcipher'] = NULL;

Apparently we can establish just using the CA (non X509) but I have not tested it. I believe for a self-signed cert we need the CA set as a minimum.

[Isaac Bennetch]

Would you mind checking out the git branch at https://github.com/ibennetch/phpmyadmin/tree/ssl and testing that (taking note that I renamed some of the variables)? I don't have an ssl-configured server handy.

[Martin Burger]

At least in 4.0.4.1, this is still present.