← Back to team overview

ius-coredev team mailing list archive

[Bug 1145176] Re: PDO from PHP 5.3.21 does not properly connect to MySQL via SSL

 

Ben,

Thanks for the quick response. I've never seen it work.

We are using Percona's yum repository, and have the following packages
installed:

Percona-Server-client-55-5.5.29-rel30.0.451.rhel6.x86_64
Percona-Server-shared-55-5.5.29-rel30.0.451.rhel6.x86_64
Percona-Server-server-55-5.5.29-rel30.0.451.rhel6.x86_64
Percona-Server-shared-compat-5.5.29-rel30.0.451.rhel6.x86_64

I'm going to try a more minimal test case with the system MySQL if I
can, and I might also try it on my Mac using a Homebrew build of PHP to
see if it's really an upstream or a packaging issue.

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1145176

Title:
  PDO from PHP 5.3.21 does not properly connect to MySQL via SSL

Status in IUS Community Project:
  New

Bug description:
  Thanks for the work on IUS!

  I am using CentOS 6 and RHEL 6 servers (the RHEL servers are hosted at
  Rackspace) with IUS installed. On each, the following set of packages
  is installed:

  php53u-cli-5.3.21-1.ius.el6.x86_64
  php53u-5.3.21-1.ius.el6.x86_64
  php53u-mbstring-5.3.21-1.ius.el6.x86_64
  php53u-devel-5.3.21-1.ius.el6.x86_64
  php53u-common-5.3.21-1.ius.el6.x86_64
  php53u-xml-5.3.21-1.ius.el6.x86_64
  php53u-soap-5.3.21-1.ius.el6.x86_64
  php53u-mysql-5.3.21-1.ius.el6.x86_64
  php53u-gd-5.3.21-1.ius.el6.x86_64
  php53u-pear-1.9.4-3.ius.el6.noarch
  php53u-suhosin-0.9.33-1.ius.el6.x86_64
  php53u-pecl-apc-3.1.9-4.ius.el6.x86_64
  php53u-pdo-5.3.21-1.ius.el6.x86_64
  php53u-pecl-memcache-3.0.7-2.ius.el6.x86_64

  I am using Percona Server 5.5, set up to only accept SSL connections
  for certain users using the --ssl, --ssl-ca, --ssl-cert, and --ssl-key
  options to mysqld and a user with GRANTs that have been assigned using
  "REQUIRE X509" in order to require an SSL connection and that the
  certificate in question is validated by the CA certificate.

  (PDO support for SSL in MySQL was added in PHP 5.3.7 and fixed to
  actually work in PHP 5.3.9, so these versions should be sufficient.)

  I can verify that outside of PHP, connecting to Percona server in this
  fashion fails because the connection is neither over SSL nor using an
  accepted certificate:

  mysql -uuser -pass -Dclient-db

  While using the SSL options with the mysql binary works, like so:

  mysql -uuser -ppass -Dclient-db --ssl --ssl-cert=/opt/ssl/mysql-
  client-cert.pem --ssl-key=/opt/ssl/mysql-client-key.pem --ssl-
  ca=/opt/ssl/mysql-ca-cert.pem

  However, if I try to make a simple PHP script that connects to this
  same MySQL database using SSL through PDO, it can never connect. The
  sample script I'm using is as follows:

  <?php

  $pdo = new PDO('mysql:host=localhost;dbname=client-db', 'user', 'pass', array(
    PDO::MYSQL_ATTR_SSL_KEY  => '/opt/ssl/mysql-client-key.pem',
    PDO::MYSQL_ATTR_SSL_CERT => '/opt/ssl/mysql-client-cert.pem',
    PDO::MYSQL_ATTR_SSL_CA   => '/opt/ssl/mysql-ca-cert.pem',
    PDO::MYSQL_ATTR_SSL_CAPATH   => '/opt/ssl/',
    PDO::MYSQL_ATTR_SSL_CIPHER   => 'DHE-RSA-AES256-SHA:AES128-SHA',
  ));

  foreach ($pdo->query('SHOW STATUS LIKE "%Ssl%"') as $row) {
    var_dump($row[0] . ": " . $row[1]);
  }

  The error I get is as follows:

  Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'user'@'localhost' (using password: YES)' in /opt/development/client/docroot/mysql-test.php:9
  Stack trace:
  #0 /opt/development/client/docroot/mysql-test.php(9): PDO->__construct('mysql:host=loca...', 'user', 'pass', Array)
  #1 {main}
    thrown in /opt/development/client/docroot/mysql-test.php on line 9

  This seems to support the idea that PDO is not connecting to MySQL
  using SSL at all. An strace while running this script from the CLI
  confirms this behavior - there are no open() calls on any of the .pem
  files in question.

  This leads me to believe that this particular #ifdefine is being left
  out when php53u is built from IUS: http://svn.php.net/viewvc/php/php-
  src/branches/PHP_5_3/ext/pdo_mysql/mysql_driver.c?revision=323930&view=markup#l717
  .

  I'm going to look into this some more. If any users of IUS have
  successfully connected to a MySQL database that requires SSL using PDO
  from IUS php53u, I'd love to hear it. (Or if you have any pointers on
  how I might change the php53u spec to get PDO SSL support included,
  I'd love to hear it.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1145176/+subscriptions


References