From: Andrey Hristov <andrey@php.net>
Date: Wed, 21 Oct 2015 13:10:24 +0000 (+0200)
Subject: Fix for Bug #68344 	MySQLi does not provide way to disable peer certificate validation
X-Git-Tag: php-7.0.1RC1~210^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8292260515a904b4d515484145c78f33a06ae1ae;p=php

Fix for Bug #68344 	MySQLi does not provide way to disable peer certificate validation
---

diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
index 78540f1c33..349d6dbbb0 100644
--- a/ext/mysqli/tests/bug51647.phpt
+++ b/ext/mysqli/tests/bug51647.phpt
@@ -65,9 +65,43 @@ $link->close();
 	} else {
 		if (!$row = $res->fetch_assoc())
 			printf("[006] [%d] %s\n", $link->errno, $link->error);
+		if (!strlen($row["Value"]))
+			printf("[007] Empty cipher. No encrytion!");
 	}
 
 	var_dump($row);
+	$link->close();
+
+	if (!is_object($link = mysqli_init()))
+		printf("[008] Cannot create link\n");
+
+	if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
+		printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+	}
+
+	if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
+		if (1064 == $link->errno) {
+			/* ERROR 1064 (42000): You have an error in your SQL syntax;  = sql strict mode */
+			if ($res = $link->query("SHOW STATUS")) {
+				while ($row = $res->fetch_assoc())
+					if ($row['Variable_name'] == 'Ssl_cipher')
+						break;
+			} else {
+				printf("[010] [%d] %s\n", $link->errno, $link->error);
+			}
+		} else {
+			printf("[011] [%d] %s\n", $link->errno, $link->error);
+		}
+	} else {
+		if (!$row = $res->fetch_assoc())
+			printf("[012] [%d] %s\n", $link->errno, $link->error);
+		if (!strlen($row["Value"]))
+			printf("[013] Empty cipher. No encrytion!");
+	}
+
+	var_dump($row);
+
+	$link->close();
 
 	print "done!";
 ?>
@@ -78,4 +112,10 @@ array(2) {
   ["Value"]=>
   string(%d) "%S"
 }
+array(2) {
+  ["Variable_name"]=>
+  string(10) "Ssl_cipher"
+  ["Value"]=>
+  string(%d) "%S"
+}
 done!
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 69f4b7a54a..4cbe9deb29 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		zval verify_peer_zval;
 		ZVAL_TRUE(&verify_peer_zval);
 		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
+	} else {
+		zval verify_peer_zval;
+		ZVAL_FALSE(&verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
 	if (net->data->options.ssl_cert) {
 		zval cert_zval;
@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 	if (net->data->options.ssl_capath) {
 		zval capath_zval;
 		ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
-		php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
+		php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
 	}
 	if (net->data->options.ssl_passphrase) {
 		zval passphrase_zval;