search

microsoft / msphpsql

Microsoft Drivers for PHP for SQL Server
MIT License
1.8k stars 374 forks source link

Allow configuration of SSL/TLS connection options #1458

Open fabiang opened 1 year ago

fabiang commented 1 year ago

Hello,

based on my old issue #1021, it's quite possible that people are actively lowering their security by allowing older cipher suites, so they just can connect to SQLServers with old certificates. Instead it should be possible to define the ciphers used for the TSL connection to the SQLServer.

PDO_MYSQL already has support for this:

PDO::MYSQL_ATTR_SSL_CA (int) The file path to the SSL certificate authority.

PDO::MYSQL_ATTR_SSL_CAPATH (int) The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format.

PDO::MYSQL_ATTR_SSL_CERT (int) The file path to the SSL certificate.

PDO::MYSQL_ATTR_SSL_CIPHER (int) A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. For example: DHE-RSA-AES256-SHA:AES128-SHA

PDO::MYSQL_ATTR_SSL_KEY (int) The file path to the SSL key.

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT (int) Provides a way to disable verification of the server SSL certificate.

This exists as of PHP 7.0.18 and PHP 7.1.4.

PDO::*_ATTR_SSL_VERIFY_SERVER_CERT is already possible through connection parameter TrustServerCertificate.

So please implement those attributes or as connection parameters.

fabiang commented 1 year ago

It looks like that none of the other PDO drivers supports this. Is passing a PHP stream context as parameter/attribute the better option?

v-makouz commented 1 year ago

Can these be specified in the connection string for MySQL server?

fabiang commented 1 year ago

Can these be specified in the connection string for MySQL server?

No, only per config and attributes. Idk if mysqlnd has support for the attributes/config.

v-makouz commented 1 year ago

It's unlikely we'd be able to add these settings, since most of them are not part of the driver. In addition to TrustServerCertificate the is also ServerCertificate that allows one to specify a .pem, but the other attributes seem like the OpenSSL settings that the driver doesn't control. OpenSSL has its own config files, which may allow specifying these values.

fabiang commented 1 year ago

So I guess I can close this, since is required to implement this upstream into msodbc?

HenkPoley commented 1 year ago

@v-makouz , I note that if ServerCertificate => '/path/to/.pem' exists on pdo_sqlsrv, it's not documented here:

https://learn.microsoft.com/en-us/sql/connect/php/connection-options?view=sql-server-ver16

To use it for 'certificate pinning' would be nice.

v-makouz commented 1 year ago

I'll take a look at that doc. I believe that anything in the connection string gets passed by PHP driver to the underlying ODBC Driver, so anything supported by that should work, but I'll double check to make sure.