Open jjthiessen opened 2 years ago
That is, I believe that MYSQLI_CLIENT_SSL
is required for the client to advertise SSL capabilities (independently of whether certificates should or shouldn't be verified).
We just migrated to SSL enabled database and were hit with this issue.
PR https://github.com/phpList/phplist3/pull/834 was never merged. Would the 2nd option from @jjthiessen be acceptable as a start fix for the issue.
I did some more tests. If I have a MySQL server with mandatory SSL connection, I can only connect to the DB if flag MYSQLI_CLIENT_SSL
is set. It doesn't work with MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
.
Then I did a test with a MySQL server that supports SSL, but is not forcing it.
MYSQLI_CLIENT_SSL
: will connect via SSLMYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
: won't connect via SSL, will choose plain-text connection. If I set REQUIRE SSL
for the user, the connection fails.I used @jjthiessen script with added sleep and then ran query to check connection status:
SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher,
processlist_user AS user, processlist_host AS host
FROM performance_schema.status_by_thread AS sbt
JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version' AND t2.variable_name = 'Ssl_cipher'
ORDER BY tls_version
Given that, I think changing default flag to MYSQLI_CLIENT_SSL
won't make anything worse than they already are as right now, switching database_connection_ssl
to true
doesn't make SSL connection anyway. And since MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
is used for client cert auth and we are not using ssl_set() to set client certs, it would make sense to revert back to MYSQLI_CLIENT_SSL
, parameter database_connection_ssl
will actually force phplist to use SSL and we'll have a working SSL connection again.
We are using the MR change in production for the last 10 days without issues.
I believe that https://github.com/phpList/phplist3/commit/a3bc7189b8b3d048af3a5c685bcc53358af42046 introduced a regression for MySQL configurations where SSL/TLS is enforced. It is also possible that this behaviour has changed between PHP versions, or is/was different between the use of
libmysql
andmysqlnd
. The PHP Manual seems to suggest that the change was valid and should work; however, this does not seem to be the case in my tests.