← Back to team overview

ius-coredev team mailing list archive

  1. ius-coredev team
  2. Mailing list archive
  3. Message #02406

[Bug 1145176] [NEW] PDO from PHP 5.3.21 does not properly connect to MySQL via SSL

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Thanks for the work on IUS!

I am using CentOS 6 and RHEL 6 servers (the RHEL servers are hosted at
Rackspace) with IUS installed. On each, the following set of packages is
installed:

php53u-cli-5.3.21-1.ius.el6.x86_64
php53u-5.3.21-1.ius.el6.x86_64
php53u-mbstring-5.3.21-1.ius.el6.x86_64
php53u-devel-5.3.21-1.ius.el6.x86_64
php53u-common-5.3.21-1.ius.el6.x86_64
php53u-xml-5.3.21-1.ius.el6.x86_64
php53u-soap-5.3.21-1.ius.el6.x86_64
php53u-mysql-5.3.21-1.ius.el6.x86_64
php53u-gd-5.3.21-1.ius.el6.x86_64
php53u-pear-1.9.4-3.ius.el6.noarch
php53u-suhosin-0.9.33-1.ius.el6.x86_64
php53u-pecl-apc-3.1.9-4.ius.el6.x86_64
php53u-pdo-5.3.21-1.ius.el6.x86_64
php53u-pecl-memcache-3.0.7-2.ius.el6.x86_64

I am using Percona Server 5.5, set up to only accept SSL connections for
certain users using the --ssl, --ssl-ca, --ssl-cert, and --ssl-key
options to mysqld and a user with GRANTs that have been assigned using
"REQUIRE X509" in order to require an SSL connection and that the
certificate in question is validated by the CA certificate.

(PDO support for SSL in MySQL was added in PHP 5.3.7 and fixed to
actually work in PHP 5.3.9, so these versions should be sufficient.)

I can verify that outside of PHP, connecting to Percona server in this
fashion fails because the connection is neither over SSL nor using an
accepted certificate:

mysql -uuser -pass -Dclient-db

While using the SSL options with the mysql binary works, like so:

mysql -uuser -ppass -Dclient-db --ssl --ssl-cert=/opt/ssl/mysql-client-
cert.pem --ssl-key=/opt/ssl/mysql-client-key.pem --ssl-ca=/opt/ssl
/mysql-ca-cert.pem

However, if I try to make a simple PHP script that connects to this same
MySQL database using SSL through PDO, it can never connect. The sample
script I'm using is as follows:

<?php

$pdo = new PDO('mysql:host=localhost;dbname=client-db', 'user', 'pass', array(
  PDO::MYSQL_ATTR_SSL_KEY  => '/opt/ssl/mysql-client-key.pem',
  PDO::MYSQL_ATTR_SSL_CERT => '/opt/ssl/mysql-client-cert.pem',
  PDO::MYSQL_ATTR_SSL_CA   => '/opt/ssl/mysql-ca-cert.pem',
  PDO::MYSQL_ATTR_SSL_CAPATH   => '/opt/ssl/',
  PDO::MYSQL_ATTR_SSL_CIPHER   => 'DHE-RSA-AES256-SHA:AES128-SHA',
));

foreach ($pdo->query('SHOW STATUS LIKE "%Ssl%"') as $row) {
  var_dump($row[0] . ": " . $row[1]);
}

The error I get is as follows:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'user'@'localhost' (using password: YES)' in /opt/development/client/docroot/mysql-test.php:9
Stack trace:
#0 /opt/development/client/docroot/mysql-test.php(9): PDO->__construct('mysql:host=loca...', 'user', 'pass', Array)
#1 {main}
  thrown in /opt/development/client/docroot/mysql-test.php on line 9

This seems to support the idea that PDO is not connecting to MySQL using
SSL at all. An strace while running this script from the CLI confirms
this behavior - there are no open() calls on any of the .pem files in
question.

This leads me to believe that this particular #ifdefine is being left
out when php53u is built from IUS: http://svn.php.net/viewvc/php/php-
src/branches/PHP_5_3/ext/pdo_mysql/mysql_driver.c?revision=323930&view=markup#l717
.

I'm going to look into this some more. If any users of IUS have
successfully connected to a MySQL database that requires SSL using PDO
from IUS php53u, I'd love to hear it. (Or if you have any pointers on
how I might change the php53u spec to get PDO SSL support included, I'd
love to hear it.)

** Affects: ius
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1145176

Title:
  PDO from PHP 5.3.21 does not properly connect to MySQL via SSL

Status in IUS Community Project:
  New

Bug description:
  Thanks for the work on IUS!

  I am using CentOS 6 and RHEL 6 servers (the RHEL servers are hosted at
  Rackspace) with IUS installed. On each, the following set of packages
  is installed:

  php53u-cli-5.3.21-1.ius.el6.x86_64
  php53u-5.3.21-1.ius.el6.x86_64
  php53u-mbstring-5.3.21-1.ius.el6.x86_64
  php53u-devel-5.3.21-1.ius.el6.x86_64
  php53u-common-5.3.21-1.ius.el6.x86_64
  php53u-xml-5.3.21-1.ius.el6.x86_64
  php53u-soap-5.3.21-1.ius.el6.x86_64
  php53u-mysql-5.3.21-1.ius.el6.x86_64
  php53u-gd-5.3.21-1.ius.el6.x86_64
  php53u-pear-1.9.4-3.ius.el6.noarch
  php53u-suhosin-0.9.33-1.ius.el6.x86_64
  php53u-pecl-apc-3.1.9-4.ius.el6.x86_64
  php53u-pdo-5.3.21-1.ius.el6.x86_64
  php53u-pecl-memcache-3.0.7-2.ius.el6.x86_64

  I am using Percona Server 5.5, set up to only accept SSL connections
  for certain users using the --ssl, --ssl-ca, --ssl-cert, and --ssl-key
  options to mysqld and a user with GRANTs that have been assigned using
  "REQUIRE X509" in order to require an SSL connection and that the
  certificate in question is validated by the CA certificate.

  (PDO support for SSL in MySQL was added in PHP 5.3.7 and fixed to
  actually work in PHP 5.3.9, so these versions should be sufficient.)

  I can verify that outside of PHP, connecting to Percona server in this
  fashion fails because the connection is neither over SSL nor using an
  accepted certificate:

  mysql -uuser -pass -Dclient-db

  While using the SSL options with the mysql binary works, like so:

  mysql -uuser -ppass -Dclient-db --ssl --ssl-cert=/opt/ssl/mysql-
  client-cert.pem --ssl-key=/opt/ssl/mysql-client-key.pem --ssl-
  ca=/opt/ssl/mysql-ca-cert.pem

  However, if I try to make a simple PHP script that connects to this
  same MySQL database using SSL through PDO, it can never connect. The
  sample script I'm using is as follows:

  <?php

  $pdo = new PDO('mysql:host=localhost;dbname=client-db', 'user', 'pass', array(
    PDO::MYSQL_ATTR_SSL_KEY  => '/opt/ssl/mysql-client-key.pem',
    PDO::MYSQL_ATTR_SSL_CERT => '/opt/ssl/mysql-client-cert.pem',
    PDO::MYSQL_ATTR_SSL_CA   => '/opt/ssl/mysql-ca-cert.pem',
    PDO::MYSQL_ATTR_SSL_CAPATH   => '/opt/ssl/',
    PDO::MYSQL_ATTR_SSL_CIPHER   => 'DHE-RSA-AES256-SHA:AES128-SHA',
  ));

  foreach ($pdo->query('SHOW STATUS LIKE "%Ssl%"') as $row) {
    var_dump($row[0] . ": " . $row[1]);
  }

  The error I get is as follows:

  Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'user'@'localhost' (using password: YES)' in /opt/development/client/docroot/mysql-test.php:9
  Stack trace:
  #0 /opt/development/client/docroot/mysql-test.php(9): PDO->__construct('mysql:host=loca...', 'user', 'pass', Array)
  #1 {main}
    thrown in /opt/development/client/docroot/mysql-test.php on line 9

  This seems to support the idea that PDO is not connecting to MySQL
  using SSL at all. An strace while running this script from the CLI
  confirms this behavior - there are no open() calls on any of the .pem
  files in question.

  This leads me to believe that this particular #ifdefine is being left
  out when php53u is built from IUS: http://svn.php.net/viewvc/php/php-
  src/branches/PHP_5_3/ext/pdo_mysql/mysql_driver.c?revision=323930&view=markup#l717
  .

  I'm going to look into this some more. If any users of IUS have
  successfully connected to a MySQL database that requires SSL using PDO
  from IUS php53u, I'd love to hear it. (Or if you have any pointers on
  how I might change the php53u spec to get PDO SSL support included,
  I'd love to hear it.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1145176/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next