Added the possibility to explicitly state that the peer certificate should not be checked.
Back to the default - checking the certificate.
Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)
If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
then no verification takes place.
REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#if defined(MYSQLI_USE_MYSQLND)
+ REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT", CLIENT_SSL_DONT_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#endif
#endif
#if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
if (!is_object($link = mysqli_init()))
printf("[001] Cannot create link\n");
- $path_to_pems = !$IS_MYSQLND? "ext/mysqli/tests/" : "";
- if (!$link->ssl_set("{$path_to_pems}client-key.pem", "{$path_to_pems}client-cert.pem", "{$path_to_pems}cacert.pem","",""))
- printf("[002] [%d] %s\n", $link->errno, $link->error);
-
- if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket)) {
+ if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)) {
printf("[003] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
}
printf("[006] [%d] %s\n", $link->errno, $link->error);
if (!strlen($row["Value"]))
printf("[007] Empty cipher. No encrytion!");
+ var_dump($row);
}
- var_dump($row);
$link->close();
if (!is_object($link = mysqli_init()))
printf("[012] [%d] %s\n", $link->errno, $link->error);
if (!strlen($row["Value"]))
printf("[013] Empty cipher. No encrytion!");
+ var_dump($row);
}
- var_dump($row);
-
$link->close();
print "done!";
$db1 = new mysqli();
- $flags = MYSQLI_CLIENT_SSL;
+ $flags = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
$driver = new mysqli_driver;
$host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "127.0.0.1";
- $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3308;
+ $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306;
$user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root";
$passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : "";
$db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test";
function my_mysqli_connect($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
global $connect_flags;
- $flags = ($enable_env_flags) ? $connect_flags : false;
-
- if ($flags !== false) {
+ $flags = $enable_env_flags? $connect_flags:0;
+ if ($flags !== 0) {
$link = mysqli_init();
if (!mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags))
$link = false;
global $connect_flags;
if ($enable_env_flags)
- $flags & $connect_flags;
+ $flags = $flags | $connect_flags;
return mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags);
}
public function __construct($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
global $connect_flags;
- $flags = ($enable_env_flags) ? $connect_flags : false;
+ $flags = ($enable_env_flags) ? $connect_flags : 0;
if ($flags !== false) {
parent::init();
if ($version >= 50033 || $IS_MYSQLND) {
$expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
}
+ if ($IS_MYSQLND) {
+ $expected_constants['MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'] = true;
+ }
/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
if ($version >= 50606 || $IS_MYSQLND) {
DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA= %d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0);
DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS= %d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0);
DBG_INF_FMT("CLIENT_SESSION_TRACK= %d", mysql_flags & CLIENT_SESSION_TRACK? 1:0);
+ DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0);
DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0);
DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS= %d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0);
if (server_has_ssl == FALSE) {
goto close_conn;
} else {
- zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE;
+ enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT?
+ MYSQLND_SSL_PEER_VERIFY:
+ (mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT?
+ MYSQLND_SSL_PEER_DONT_VERIFY:
+ MYSQLND_SSL_PEER_DEFAULT);
DBG_INF("Switching to SSL");
if (!PACKET_WRITE(auth_packet, conn)) {
goto close_conn;
#define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */
#define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22) /* Don't close the connection for a connection with expired password. */
#define CLIENT_SESSION_TRACK (1UL << 23) /* Extended OK */
+/*
+ This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification
+*/
+#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT CLIENT_ODBC
#define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
#define CLIENT_REMEMBER_OPTIONS (1UL << 31)
break;
}
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
- net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE;
+ {
+ enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value);
+ switch (val) {
+ case MYSQLND_SSL_PEER_VERIFY:
+ DBG_INF("MYSQLND_SSL_PEER_VERIFY");
+ break;
+ case MYSQLND_SSL_PEER_DONT_VERIFY:
+ DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY");
+ break;
+ case MYSQLND_SSL_PEER_DEFAULT:
+ DBG_INF("MYSQLND_SSL_PEER_DEFAULT");
+ val = MYSQLND_SSL_PEER_DEFAULT;
+ break;
+ default:
+ DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION");
+ val = MYSQLND_SSL_PEER_DEFAULT;
+ break;
+ }
+ net->data->options.ssl_verify_peer = val;
break;
+ }
case MYSQL_OPT_READ_TIMEOUT:
net->data->options.timeout_read = *(unsigned int*) value;
break;
#ifdef MYSQLND_SSL_SUPPORTED
php_stream_context * context = php_stream_context_alloc(TSRMLS_C);
php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC);
+ zend_bool any_flag = FALSE;
DBG_ENTER("mysqlnd_net::enable_ssl");
if (!context) {
zval key_zval;
ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
- }
- {
- zval verify_peer_zval;
- ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
+ any_flag = TRUE;
}
if (net->data->options.ssl_cert) {
zval cert_zval;
if (!net->data->options.ssl_key) {
php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval);
}
+ any_flag = TRUE;
}
if (net->data->options.ssl_ca) {
zval cafile_zval;
ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0);
php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval);
+ any_flag = TRUE;
}
if (net->data->options.ssl_capath) {
zval capath_zval;
ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
+ any_flag = TRUE;
}
if (net->data->options.ssl_passphrase) {
zval passphrase_zval;
ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0);
php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval);
+ any_flag = TRUE;
}
if (net->data->options.ssl_cipher) {
zval cipher_zval;
ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0);
php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval);
+ any_flag = TRUE;
+ }
+ {
+ zval verify_peer_zval;
+ zend_bool verify;
+
+ if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) {
+ net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY;
+ }
+
+ verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE;
+
+ DBG_INF_FMT("VERIFY=%d", verify);
+ ZVAL_BOOL(&verify_peer_zval, verify);
+ php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
}
+
php_stream_context_set(net_stream, context);
if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 ||
php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0)
char *ssl_capath;
char *ssl_cipher;
char *ssl_passphrase;
- zend_bool ssl_verify_peer;
+ enum mysqlnd_ssl_peer {
+ MYSQLND_SSL_PEER_DEFAULT = 0,
+ MYSQLND_SSL_PEER_VERIFY = 1,
+ MYSQLND_SSL_PEER_DONT_VERIFY = 2,
+
+#define MYSQLND_SSL_PEER_DEFAULT_ACTION MYSQLND_SSL_PEER_VERIFY
+ } ssl_verify_peer;
uint64_t flags;
char * sha256_server_public_key;
} MYSQLND_NET_OPTIONS;
+
typedef struct st_mysqlnd_connection MYSQLND;
typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA;
typedef struct st_mysqlnd_net MYSQLND_NET;
projects / php / commitdiff