search

php / php-src

The PHP Interpreter
https://www.php.net
Other
37.96k stars 7.73k forks source link

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT still checking CN #8577

Open drewwynne0 opened 2 years ago

drewwynne0 commented 2 years ago

Description

Apologies, may not be a bug but cannot seems to find anything after extensive research.

The following code:

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,

Resulted in this output:

Peer certificate CN=`*.proxy-~~~.eu-west-2.rds.amazonaws.com' did not match expected CN=`~~~.**endpoint**.proxy-~~~.eu-west-2.rds.amazonaws.com'

~~~ used for masking But I expected this output instead:

Successful mysql connection

There doesn't seem to be a specific way to force --ssl-mode=VERIFY_CA mysql cli connection works fine with this flag

Scenario - I am utilising AWS RDS Proxy with a Read/Write endpoint and a Read endpoint. Read/write connects fine, but when trying to connect to the read only endpoint, receive the above error, assuming that the read only is within the subdomain .endpoint.proxy- whereas the read/write is with .proxy-

PHP Version

PHP 8.1.6

Operating System

Windows 11 // Ubuntu 20.04

cmb69 commented 2 years ago

Do you use mysqlnd or libmysql-client (see PHP info)?

drewwynne0 commented 2 years ago

mysqlnd

image

Just freshly installed php as working on a different machine.


[PHP Modules]
bcmath
calendar
Core
ctype
curl
date
dom
fileinfo
filter
hash
iconv
json
libxml
mbstring
mysqlnd
openssl
pcre
PDO
pdo_mysql
Phar
readline
Reflection
session
SimpleXML
SPL
standard
tokenizer
xml
xmlreader
xmlwriter
zip
zlib
cmb69 commented 2 years ago

Thank you! In this case, the verification is done via the SSL stream context options verify_peer and verify_peer_name, so this is not necessarily a mysqlnd issue. I wonder, though, how libmysql-client would behave.

james-green-affinity commented 1 year ago

I have a similar setup as mentioned above, however I am using mariaDB client and connecting to an aurora DB via RDS proxy. Unfortunately for me --ssl-mode=VERIFY_CA is NOT an option within mariaDB client so I need to find a way to use "--ssl" instead.

https://mariadb.com/kb/en/mysql-command-line-client/#:~:text=mysql%20(from%20MariaDB%2010.4.,in%20an%20ASCII%2Dtable%20format.

piotrekkr commented 3 weeks ago

I just spotted this same issue on my setup. I'm using docker image of PHP 8.2.12

root@spooler-qa4-3b64c:/var/www# php -v
PHP 8.2.12 (cli) (built: Oct 28 2023 01:45:57) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.12, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.12, Copyright (c), by Zend Technologies
    with ddtrace v1.1.0, Copyright Datadog, by Datadog
    with datadog-profiling v1.1.0, Copyright Datadog, by Datadog
    with ddappsec v1.1.0, Copyright Datadog, by Datadog

php -i shows this

mysqlnd
mysqlnd => enabled
Version => mysqlnd 8.2.12
Loaded plugins => mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_caching_sha2_password,auth_plugin_sha256_password
API Extensions => pdo_mysql
PDO drivers => sqlite, mysql
pdo_mysql
Client API version => mysqlnd 8.2.12

I have set driver options like:

array(5) {
  [1002]=>
  string(39) "SET SESSION max_execution_time = 120000"
  [1014]=>
  int(0)
  [1009]=>
  string(27) "/secrets/cloudsql/client_ca"
  [1008]=>
  string(29) "/secrets/cloudsql/client_cert"
  [1007]=>
  string(28) "/secrets/cloudsql/client_key"
}

But even when PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT is set to 0 I get this error when connecting to GCP mysql instance:

PDO::__construct(): Peer certificate CN=`xxxx-xx:xxx-xxxx' did not match expected CN=`XX.XX.XX.XX'

Is there any workaround for this?