ius-coredev team mailing list archive
-
ius-coredev team
-
Mailing list archive
-
Message #02535
[Bug 1145176] Re: Neither mysqli nor PDO from PHP 5.3.21 properly connect to MySQL via SSL
Hello Steven,
Glad to hear that SSL connections are now working. Thanks for posting
the update as other might be running into the same issue.
-Ben
--
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1145176
Title:
Neither mysqli nor PDO from PHP 5.3.21 properly connect to MySQL via
SSL
Status in IUS Community Project:
Invalid
Bug description:
Thanks for the work on IUS!
I am using CentOS 6 and RHEL 6 servers (the RHEL servers are hosted at
Rackspace) with IUS installed. On each, the following set of packages
is installed:
php53u-cli-5.3.21-1.ius.el6.x86_64
php53u-5.3.21-1.ius.el6.x86_64
php53u-mbstring-5.3.21-1.ius.el6.x86_64
php53u-devel-5.3.21-1.ius.el6.x86_64
php53u-common-5.3.21-1.ius.el6.x86_64
php53u-xml-5.3.21-1.ius.el6.x86_64
php53u-soap-5.3.21-1.ius.el6.x86_64
php53u-mysql-5.3.21-1.ius.el6.x86_64
php53u-gd-5.3.21-1.ius.el6.x86_64
php53u-pear-1.9.4-3.ius.el6.noarch
php53u-suhosin-0.9.33-1.ius.el6.x86_64
php53u-pecl-apc-3.1.9-4.ius.el6.x86_64
php53u-pdo-5.3.21-1.ius.el6.x86_64
php53u-pecl-memcache-3.0.7-2.ius.el6.x86_64
I am using Percona Server 5.5, set up to only accept SSL connections
for certain users using the --ssl, --ssl-ca, --ssl-cert, and --ssl-key
options to mysqld and a user with GRANTs that have been assigned using
"REQUIRE X509" in order to require an SSL connection and that the
certificate in question is validated by the CA certificate.
(PDO support for SSL in MySQL was added in PHP 5.3.7 and fixed to
actually work in PHP 5.3.9, so these versions should be sufficient.)
I can verify that outside of PHP, connecting to Percona server in this
fashion fails because the connection is neither over SSL nor using an
accepted certificate:
mysql -uuser -pass -Dclient-db
While using the SSL options with the mysql binary works, like so:
mysql -uuser -ppass -Dclient-db --ssl --ssl-cert=/opt/ssl/mysql-
client-cert.pem --ssl-key=/opt/ssl/mysql-client-key.pem --ssl-
ca=/opt/ssl/mysql-ca-cert.pem
However, if I try to make a simple PHP script that connects to this
same MySQL database using SSL through PDO, it can never connect. The
sample script I'm using is as follows:
<?php
$pdo = new PDO('mysql:host=localhost;dbname=client-db', 'user', 'pass', array(
PDO::MYSQL_ATTR_SSL_KEY => '/opt/ssl/mysql-client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/opt/ssl/mysql-client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/opt/ssl/mysql-ca-cert.pem',
PDO::MYSQL_ATTR_SSL_CAPATH => '/opt/ssl/',
PDO::MYSQL_ATTR_SSL_CIPHER => 'DHE-RSA-AES256-SHA:AES128-SHA',
));
foreach ($pdo->query('SHOW STATUS LIKE "%Ssl%"') as $row) {
var_dump($row[0] . ": " . $row[1]);
}
The error I get is as follows:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'user'@'localhost' (using password: YES)' in /opt/development/client/docroot/mysql-test.php:9
Stack trace:
#0 /opt/development/client/docroot/mysql-test.php(9): PDO->__construct('mysql:host=loca...', 'user', 'pass', Array)
#1 {main}
thrown in /opt/development/client/docroot/mysql-test.php on line 9
This seems to support the idea that PDO is not connecting to MySQL
using SSL at all. An strace while running this script from the CLI
confirms this behavior - there are no open() calls on any of the .pem
files in question.
This leads me to believe that this particular #ifdefine is being left
out when php53u is built from IUS: http://svn.php.net/viewvc/php/php-
src/branches/PHP_5_3/ext/pdo_mysql/mysql_driver.c?revision=323930&view=markup#l717
.
I'm going to look into this some more. If any users of IUS have
successfully connected to a MySQL database that requires SSL using PDO
from IUS php53u, I'd love to hear it. (Or if you have any pointers on
how I might change the php53u spec to get PDO SSL support included,
I'd love to hear it.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1145176/+subscriptions
References