All geek questions in one place

MySQL PHP PDO SSL connection failed

I am trying to develop a PHP application that connects to a MySQL server using SSL. I tried using mysql_connect and it works fine, but with PDO it is not. When I try to connect, I get the following error:

PDO :: __ construct (): this stream does not support SSL / crypto

What is strange is that if I configure cert paths (pointing to non-existent files), I get the same error!

I am using php 5.3.10 in Debian Squeeze, the following packages are installed:

php5-cgi php5-cli php5-common php5-fpm php5-gd php5-mcrypt php5-mysql php5-suhosin

Any idea? thanks

+4
source share
2 answers

Your list of modules does not include include openssl

You can check compiled modules with php -m . And you can check out all modules loaded at run-time by running php -a , then running the var_dump(get_loaded_extensions());

You will need to either compile it or download it as an extension in order to use the SSL connection.

If the extension exists on disk (check your php extensions - location directory in php.ini ), then check php.ini for the extension=php_openssl.so and make sure it is not commented out.

+1
source

You need to remove php-mysql and install php-mysqlnd. On Centos:

 sudo yum remove php-mysql sudo yum install php-mysqlnd sudo yum reboot

Ubuntu / Debian

 sudo apt-get remove php5-mysql sudo apt-get install php5-mysqlnd sudo reboot

mysqli procedural:

 $con=mysqli_init(); if (!$con) { die("mysqli_init failed"); } mysqli_ssl_set($con,'/ssl/client-key.pem','/ssl/client-cert.pem', '/ssl/ca.pem',NULL,NULL); if (!mysqli_real_connect($con,'xx.xxx.xxx.xxx', 'user', 'pass' ,'dbname')) { die("Connect Error: " . mysqli_connect_error()); } mysqli_close($con); ?>

PDO

 $ssl = array( PDO::MYSQL_ATTR_SSL_KEY =>'/ssl/client-key.pem', PDO::MYSQL_ATTR_SSL_CERT=>'/ssl/client-cert.pem', PDO::MYSQL_ATTR_SSL_CA =>'/ssl/ca.pem' ); try { $dbl = new PDO("mysql:host=$host;dbname=$database", $user, $password, $ssl); $dbl->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); } catch(PDOException $e) { echo $e->getMessage(); die; }

Your certification paths must be correct. Try this in your SSL to make sure the files:

 if(file_exists('/ssl/client-key.pem') && file_exists('/ssl/client-cert.pem') && file_exists('/ssl/ca.pem')) echo 'file exists';

The remote host (database server) must also have SSL enabled. Run request

 SHOW VARIABLES LIKE '%ssl%';

OUTPUT:

 +---------------+----------------------+ | Variable_name | Value | +---------------+----------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /ssl/ca.pem | | ssl_capath | | | ssl_cert | /ssl/server-cert.pem | | ssl_cipher | DHE-RSA-AES256-SHA | | ssl_key | /ssl/server-key.pem | +---------------+----------------------+

If it is disabled, it will not work. Your /etc/my.cnf (or where your my.cnf is located) should contain:

 ssl-ca=/ssl/ca.pem ssl-cert=/ssl/server-cert.pem ssl-key=/ssl/server-key.pem ssl-cipher=DHE-RSA-AES256-SHA

MySQL Resource for generating keys: http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-files-using-openssl.html

Finally, the DHE cipher is no longer considered secure. The ciphers are constantly breaking, so you will need to find out which are considered safe today.

+1
source

Source: https://habr.com/ru/post/1397987/

More articles:


All Articles