#3618 ssl connection to mysql server doesnt work when using mysqli
using phpymadmin 3.3.7deb7 , connecting to a mysql server which requires ssl doesnt work over mysqli extension.
mysql extension works fine.
$server [ssl] is set to true.
file mysqli.dbi.lib.php.orig , line 106
>>>
/* Optionally enable SSL */
if ($GLOBALS['cfg']['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
$client_flags |= MYSQLI_CLIENT_SSL;
}
<<<
makes no sense.
the ssl connection is not properly initialized. there should be per-server parameters for ssl key, cipher etc as
suggested in one workaround regarding this issue.
the smallest fix i could do was the following one-liner to initialize ssl on the connection before it is initialized:
>>>
/* Optionally enable SSL */
if ($GLOBALS['cfg']['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
mysqli_ssl_set($link, '/etc/mysql/client-key.pem', NULL, NULL, NULL, NULL);
}
<<<
Discussion
The phpMyAdmin version you are using is not very recent. Could you try and reproduce this problem on http://demo.phpmyadmin.net (preferably the latest development version)
same code is used in current dev version:
phpMyAdmin-master-20120702-022003# vi libraries/dbi/mysqli.dbi.lib.php
around lines 148-151
/* Optionally enable SSL */
if ($cfg['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
$client_flags |= MYSQLI_CLIENT_SSL;
}
setting the connection flag just by pushing constant MYSQLI_CLIENT_SSL is not what has to be done here.
Please check the PHP documentation and my previous comment for the most minimal fix for connecting to a mysql server just requiring ssl and no specific cipher or cert.
The best fix would be to push out all parameters taken by ssl_set call to the $server config var.
http://www.php.net/manual/en/mysqli.ssl-set.php
Would you mind checking out the git branch at https://github.com/ibennetch/phpmyadmin/tree/ssl and testing that (taking note that I renamed some of the variables)? I don't have an ssl-configured server handy.
Hello Isaac,
thank you very much for the commit.
I have tested the 'ssl' branch from git and it still doesn't work.
I have seen the changes for config itself at config.default.php, but I don't see them used anywhere, and also no changes in the actual DBI library
https://github.com/ibennetch/phpmyadmin/blob/ssl/libraries/dbi/mysqli.dbi.lib.php
Am I looking in the right place, or maybe not all changes have been commited yet?
I tested using 4.0.0-dev SVN from September 10th, 2012 and it worked so seems to be fixed now !
@xenium: I guess you mean git instead of SVN?
I have reproduced the scenario using the latest snapshot as of today
phpMyAdmin-master-latest.tar.bz2
6.6 MiB
42806b2a882f0d3d6afa995bee5534c9
(phpMyAdmin-master-20121212-022001)
I have set up the following scenario :
Set up Host A with vanilla phpmyadmin 20121212-022001 running on apache2.2 over plain http.
Relevant configuration in config.inc.php as follows:
$cfg['Servers'][$i]['host'] = '10.1.10.1';
$cfg['Servers'][$i]['port'] = '13306';
$cfg['Servers'][$i]['ssl'] = TRUE;
$cfg['Servers'][$i]['extension'] = 'mysqli';
Set up Host B (ip address 10.1.10.1) with MYSQLD configured to only accept connections with SSL.
MySQL server version: 5.1.66-0+squeeze1 (Debian)
Relevant my.cnf entries as follows:
[mysqld]
port = 13306
bind-address = 10.1.10.1
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
ssl-cipher=DHE-RSA-AES256-SHA
SSL user account for testing is configured to REQUIRE SSL
mysql> show grants;
+------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@10.1.13.239 |
+------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'10.1.13.239' IDENTIFIED BY PASSWORD '*9797292CB78C5D13AEA6DF8FEA06843BA60F754A' REQUIRE SSL WITH GRANT OPTION |
Verify that connectivity works over mysql command line client run on Host A:
root@j37437:~/pma# mysql --ssl -h 10.1.10.1 -P 13306 -p --ssl-key /etc/mysql/client-key.pem --ssl-cert /etc/mysql/client-cert.pem
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 63
Server version: 5.1.66-0+squeeze1 (Debian)
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show status like 'ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.00 sec)
(OK)
Check PHPMYADMIN works from Host A
-> FAILS with
'#1045 Cannot log in to the MySQL server'
-> Change config.inc.php
$cfg['Servers'][$i]['extension'] = 'mysqli';
to
$cfg['Servers'][$i]['extension'] = 'mysql';
-> SUCCESS
so, partial success so far, with legacy 'mysql' extension, connectivity to servers requiring SSL works now.
Something in 'mysqli' extension still broken, it seems
See https://sourceforge.net/p/phpmyadmin/bugs/2954/