← Back to team overview

ius-coredev team mailing list archive

[Bug 1145176] Re: Neither mysqli nor PDO from PHP 5.3.21 properly connect to MySQL via SSL

 

** Summary changed:

- PDO from PHP 5.3.21 does not properly connect to MySQL via SSL
+ Neither mysqli nor PDO from PHP 5.3.21 properly connect to MySQL via SSL

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1145176

Title:
  Neither mysqli nor PDO from PHP 5.3.21 properly connect to MySQL via
  SSL

Status in IUS Community Project:
  New

Bug description:
  Thanks for the work on IUS!

  I am using CentOS 6 and RHEL 6 servers (the RHEL servers are hosted at
  Rackspace) with IUS installed. On each, the following set of packages
  is installed:

  php53u-cli-5.3.21-1.ius.el6.x86_64
  php53u-5.3.21-1.ius.el6.x86_64
  php53u-mbstring-5.3.21-1.ius.el6.x86_64
  php53u-devel-5.3.21-1.ius.el6.x86_64
  php53u-common-5.3.21-1.ius.el6.x86_64
  php53u-xml-5.3.21-1.ius.el6.x86_64
  php53u-soap-5.3.21-1.ius.el6.x86_64
  php53u-mysql-5.3.21-1.ius.el6.x86_64
  php53u-gd-5.3.21-1.ius.el6.x86_64
  php53u-pear-1.9.4-3.ius.el6.noarch
  php53u-suhosin-0.9.33-1.ius.el6.x86_64
  php53u-pecl-apc-3.1.9-4.ius.el6.x86_64
  php53u-pdo-5.3.21-1.ius.el6.x86_64
  php53u-pecl-memcache-3.0.7-2.ius.el6.x86_64

  I am using Percona Server 5.5, set up to only accept SSL connections
  for certain users using the --ssl, --ssl-ca, --ssl-cert, and --ssl-key
  options to mysqld and a user with GRANTs that have been assigned using
  "REQUIRE X509" in order to require an SSL connection and that the
  certificate in question is validated by the CA certificate.

  (PDO support for SSL in MySQL was added in PHP 5.3.7 and fixed to
  actually work in PHP 5.3.9, so these versions should be sufficient.)

  I can verify that outside of PHP, connecting to Percona server in this
  fashion fails because the connection is neither over SSL nor using an
  accepted certificate:

  mysql -uuser -pass -Dclient-db

  While using the SSL options with the mysql binary works, like so:

  mysql -uuser -ppass -Dclient-db --ssl --ssl-cert=/opt/ssl/mysql-
  client-cert.pem --ssl-key=/opt/ssl/mysql-client-key.pem --ssl-
  ca=/opt/ssl/mysql-ca-cert.pem

  However, if I try to make a simple PHP script that connects to this
  same MySQL database using SSL through PDO, it can never connect. The
  sample script I'm using is as follows:

  <?php

  $pdo = new PDO('mysql:host=localhost;dbname=client-db', 'user', 'pass', array(
    PDO::MYSQL_ATTR_SSL_KEY  => '/opt/ssl/mysql-client-key.pem',
    PDO::MYSQL_ATTR_SSL_CERT => '/opt/ssl/mysql-client-cert.pem',
    PDO::MYSQL_ATTR_SSL_CA   => '/opt/ssl/mysql-ca-cert.pem',
    PDO::MYSQL_ATTR_SSL_CAPATH   => '/opt/ssl/',
    PDO::MYSQL_ATTR_SSL_CIPHER   => 'DHE-RSA-AES256-SHA:AES128-SHA',
  ));

  foreach ($pdo->query('SHOW STATUS LIKE "%Ssl%"') as $row) {
    var_dump($row[0] . ": " . $row[1]);
  }

  The error I get is as follows:

  Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'user'@'localhost' (using password: YES)' in /opt/development/client/docroot/mysql-test.php:9
  Stack trace:
  #0 /opt/development/client/docroot/mysql-test.php(9): PDO->__construct('mysql:host=loca...', 'user', 'pass', Array)
  #1 {main}
    thrown in /opt/development/client/docroot/mysql-test.php on line 9

  This seems to support the idea that PDO is not connecting to MySQL
  using SSL at all. An strace while running this script from the CLI
  confirms this behavior - there are no open() calls on any of the .pem
  files in question.

  This leads me to believe that this particular #ifdefine is being left
  out when php53u is built from IUS: http://svn.php.net/viewvc/php/php-
  src/branches/PHP_5_3/ext/pdo_mysql/mysql_driver.c?revision=323930&view=markup#l717
  .

  I'm going to look into this some more. If any users of IUS have
  successfully connected to a MySQL database that requires SSL using PDO
  from IUS php53u, I'd love to hear it. (Or if you have any pointers on
  how I might change the php53u spec to get PDO SSL support included,
  I'd love to hear it.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1145176/+subscriptions


References