Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation

diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
index 78540f1c33a7c945496707a626aa3b36f160534c..349d6dbbb0101c47e422638bd6cae1ffae814b3d 100644 (file)
--- a/ext/mysqli/tests/bug51647.phpt
+++ b/ext/mysqli/tests/bug51647.phpt
@@ -65,9 +65,43 @@ $link->close();
        } else {
                if (!$row = $res->fetch_assoc())
                        printf("[006] [%d] %s\n", $link->errno, $link->error);
+               if (!strlen($row["Value"]))
+                       printf("[007] Empty cipher. No encrytion!");
        }
 
        var_dump($row);
+       $link->close();
+
+       if (!is_object($link = mysqli_init()))
+               printf("[008] Cannot create link\n");
+
+       if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
+               printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+       }
+
+       if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
+               if (1064 == $link->errno) {
+                       /* ERROR 1064 (42000): You have an error in your SQL syntax;  = sql strict mode */
+                       if ($res = $link->query("SHOW STATUS")) {
+                               while ($row = $res->fetch_assoc())
+                                       if ($row['Variable_name'] == 'Ssl_cipher')
+                                               break;
+                       } else {
+                               printf("[010] [%d] %s\n", $link->errno, $link->error);
+                       }
+               } else {
+                       printf("[011] [%d] %s\n", $link->errno, $link->error);
+               }
+       } else {
+               if (!$row = $res->fetch_assoc())
+                       printf("[012] [%d] %s\n", $link->errno, $link->error);
+               if (!strlen($row["Value"]))
+                       printf("[013] Empty cipher. No encrytion!");
+       }
+
+       var_dump($row);
+
+       $link->close();
 
        print "done!";
 ?>
@@ -78,4 +112,10 @@ array(2) {
   ["Value"]=>
   string(%d) "%S"
 }
+array(2) {
+  ["Variable_name"]=>
+  string(10) "Ssl_cipher"
+  ["Value"]=>
+  string(%d) "%S"
+}
 done!

diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 69f4b7a54a3fdcedc42e3e725fe04fd45632348f..4cbe9deb29626e4b25f6147ca73e11839d5714e8 100644 (file)
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
                zval verify_peer_zval;
                ZVAL_TRUE(&verify_peer_zval);
                php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+               php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
+       } else {
+               zval verify_peer_zval;
+               ZVAL_FALSE(&verify_peer_zval);
+               php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+               php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
        }
        if (net->data->options.ssl_cert) {
                zval cert_zval;
@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
        if (net->data->options.ssl_capath) {
                zval capath_zval;
                ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
-               php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
+               php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
        }
        if (net->data->options.ssl_passphrase) {
                zval passphrase_zval;