#3618 ssl connection to mysql server doesnt work when using mysqli

3.3.7
duplicate
nobody
5
2013-06-11
2012-06-24
Simon Putz
No

using phpymadmin 3.3.7deb7 , connecting to a mysql server which requires ssl doesnt work over mysqli extension.
mysql extension works fine.

$server [ssl] is set to true.

file mysqli.dbi.lib.php.orig , line 106

>>>
/* Optionally enable SSL */
if ($GLOBALS['cfg']['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
$client_flags |= MYSQLI_CLIENT_SSL;
}
<<<

makes no sense.
the ssl connection is not properly initialized. there should be per-server parameters for ssl key, cipher etc as
suggested in one workaround regarding this issue.

the smallest fix i could do was the following one-liner to initialize ssl on the connection before it is initialized:

>>>
/* Optionally enable SSL */
if ($GLOBALS['cfg']['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
mysqli_ssl_set($link, '/etc/mysql/client-key.pem', NULL, NULL, NULL, NULL);
}
<<<

Discussion

  • Ann + J.M.

    Ann + J.M. - 2012-06-30

    The phpMyAdmin version you are using is not very recent. Could you try and reproduce this problem on http://demo.phpmyadmin.net (preferably the latest development version)

     
  • Simon Putz

    Simon Putz - 2012-07-02

    same code is used in current dev version:

    phpMyAdmin-master-20120702-022003# vi libraries/dbi/mysqli.dbi.lib.php

    around lines 148-151

    /* Optionally enable SSL */
    if ($cfg['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
    $client_flags |= MYSQLI_CLIENT_SSL;
    }

    setting the connection flag just by pushing constant MYSQLI_CLIENT_SSL is not what has to be done here.

    Please check the PHP documentation and my previous comment for the most minimal fix for connecting to a mysql server just requiring ssl and no specific cipher or cert.

    The best fix would be to push out all parameters taken by ssl_set call to the $server config var.

    http://www.php.net/manual/en/mysqli.ssl-set.php

     
  • Isaac Bennetch

    Isaac Bennetch - 2012-09-07

    Would you mind checking out the git branch at https://github.com/ibennetch/phpmyadmin/tree/ssl and testing that (taking note that I renamed some of the variables)? I don't have an ssl-configured server handy.

     
  • Simon Putz

    Simon Putz - 2012-09-10

    Hello Isaac,

    thank you very much for the commit.
    I have tested the 'ssl' branch from git and it still doesn't work.
    I have seen the changes for config itself at config.default.php, but I don't see them used anywhere, and also no changes in the actual DBI library

    https://github.com/ibennetch/phpmyadmin/blob/ssl/libraries/dbi/mysqli.dbi.lib.php

    Am I looking in the right place, or maybe not all changes have been commited yet?

     
  • Simon Putz

    Simon Putz - 2012-12-10

    I tested using 4.0.0-dev SVN from September 10th, 2012 and it worked so seems to be fixed now !

     
  • Marc Delisle

    Marc Delisle - 2012-12-10

    @xenium: I guess you mean git instead of SVN?

     
  • Simon Putz

    Simon Putz - 2012-12-12

    I have reproduced the scenario using the latest snapshot as of today
    phpMyAdmin-master-latest.tar.bz2
    6.6 MiB
    42806b2a882f0d3d6afa995bee5534c9

    (phpMyAdmin-master-20121212-022001)

    I have set up the following scenario :

    Set up Host A with vanilla phpmyadmin 20121212-022001 running on apache2.2 over plain http.

    Relevant configuration in config.inc.php as follows:

    $cfg['Servers'][$i]['host'] = '10.1.10.1';
    $cfg['Servers'][$i]['port'] = '13306';
    $cfg['Servers'][$i]['ssl'] = TRUE;
    $cfg['Servers'][$i]['extension'] = 'mysqli';

    Set up Host B (ip address 10.1.10.1) with MYSQLD configured to only accept connections with SSL.

    MySQL server version: 5.1.66-0+squeeze1 (Debian)

    Relevant my.cnf entries as follows:

    [mysqld]
    port = 13306
    bind-address = 10.1.10.1
    ssl-ca=/etc/mysql/ca-cert.pem
    ssl-cert=/etc/mysql/server-cert.pem
    ssl-key=/etc/mysql/server-key.pem
    ssl-cipher=DHE-RSA-AES256-SHA

    SSL user account for testing is configured to REQUIRE SSL

    mysql> show grants;
    +------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Grants for root@10.1.13.239 |
    +------------------------------------------------------------------------------------------------------------------------------------------------------+
    | GRANT ALL PRIVILEGES ON *.* TO 'root'@'10.1.13.239' IDENTIFIED BY PASSWORD '*9797292CB78C5D13AEA6DF8FEA06843BA60F754A' REQUIRE SSL WITH GRANT OPTION |

    Verify that connectivity works over mysql command line client run on Host A:

    root@j37437:~/pma# mysql --ssl -h 10.1.10.1 -P 13306 -p --ssl-key /etc/mysql/client-key.pem --ssl-cert /etc/mysql/client-cert.pem
    Enter password:
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 63
    Server version: 5.1.66-0+squeeze1 (Debian)

    Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    mysql> show status like 'ssl_cipher';
    +---------------+--------------------+
    | Variable_name | Value |
    +---------------+--------------------+
    | Ssl_cipher | DHE-RSA-AES256-SHA |
    +---------------+--------------------+
    1 row in set (0.00 sec)

    (OK)

    Check PHPMYADMIN works from Host A

    -> FAILS with

    '#1045 Cannot log in to the MySQL server'

    -> Change config.inc.php

    $cfg['Servers'][$i]['extension'] = 'mysqli';

    to

    $cfg['Servers'][$i]['extension'] = 'mysql';

    -> SUCCESS

    so, partial success so far, with legacy 'mysql' extension, connectivity to servers requiring SSL works now.

    Something in 'mysqli' extension still broken, it seems

     
  • Michal Čihař

    Michal Čihař - 2013-06-11
    • status: open --> duplicate