I have successfully setup an SSL enabled install of MySQL on one server on one network and can connect to it using SSL with the Linux command line mysql client on a different server on a different network, however every time I try to connect (using PHP 5.3.3) I keep getting:
Warning: mysqli_real_connect(): (HY000/2026): SSL connection error in /var/www/html/test.php on line 18
My PHP is as follows have I done something wrong? The certs are 777 (only while testing) and the same code works for a different user's un-encrypted connection (with the SSL setting commented out i.e. mysqli can definately connect generally to the DB)
<?php
error_reporting(E_ALL);
ini_set("display_errors", "1");
$obj = mysqli_init();
mysqli_options($obj, MYSQLI_OPT_CONNECT_TIMEOUT, 5);
mysqli_ssl_set( $obj,
'/mysql-ssl-certs/server-key.pem',
'/mysql-ssl-certs/server-cert.pem',
'/mysql-ssl-certs/ca-cert.pem',
NULL,
NULL);
$link = mysqli_real_connect($obj, 'localhost', 'ssluser', 'some_password', 'test');
if (!$link)
{
die('<br /><br />Connect Error (' . mysqli_connect_errno() . ') '.mysqli_connect_error());
}
echo 'Success... ' . mysqli_get_host_info($obj) . "\n";
$obj->close();
?>
Here PHP (and mysqli_real_connect) is the client not the server. You're configuring it with mysqli_ssl_set for client-certificate authentication (and using the server key and certificate).
I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:
ssl-key=/mysql-ssl-certs/server-key.pem
ssl-cert=/mysql-ssl-certs/server-cert.pem
ssl-ca=/mysql-ssl-certs/ca-cert.pem
These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).
Once you've done this, you can try to see if the server is configured properly using the command line client:
mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)
mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
This should work at least on the command line.
Then, from PHP, you get two options:
- use
mysqli_ssl_set like you've done, but leaving $key and $cert null, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.)
possibly easier, omit mysqli_ssl_set altogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly /etc/mysql/my.cnf, but this may vary depending on your distribution):
[client]
ssl-ca=/mysql-ssl-certs/ca-cert.pem
(This is similar to the server config, but on the client side/in the client section.)
For the authorization part (GRANT):
REQUIRE SSL only requires the use of SSL/TLSREQUIRE ISSUER, REQUIRE SUBJECT and REQUIRE X509 require the client to present a client-certificate to compare to the required values (that's the case where you'd need to use ssl-key and ssl-cert on the client side (config or within mysqli_ssl_set).
Maybe your version of php uses mysqlnd as transport driver which doesn't support ssl (yet?).
What does
<?php
error_reporting(E_ALL);
ini_set("display_errors", "1");
echo 'version: ', phpversion(), "\n";
echo function_exists('mysqli_fetch_all') ? 'mysqlnd' : '--', "\n";
print?
You should be careful if you're using MySQL prior to 5.7.3 and the standard PHP library:
Before MySQL 5.7.3, --ssl permits but does not require the client to
connect to the server using SSL. Therefore, this option is not
sufficient in itself to cause an SSL connection to be used. For
example, if you specify this option for a client program but the
server has not been configured to permit SSL connections, an
unencrypted connection is used.
http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html#option_general_ssl
In the case of PHP, MySQL will silently fail if the server fails to support SSL
https://www.idontplaydarts.com/2015/03/mysql-with-ssl-does-not-protect-against-active-mitm/
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 混吃等死 的文章《PHP to MySQL SSL Connections》','https://www.manongdao.com/article-97808.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}