<div dir="ltr">Unfortunately it's not quite that simple. I recommend reading all of the comments on the bug page. This is a major issue and it's been going on for over a year.<div><br></div><div>A single hostname will never work for a MySQL cluster where the clients need to connect to different nodes with different names.</div><div><br></div><div>Even if you aren't using a cluster, making the hostname match doesn't appear to work, possibly due to changes in either PHP or OpenSSL since the bug was filed. I dicked around for several hours generating new certificates, making sure they all matched up to hostnames (both client and server) and even adding my CA Cert to the keystore. Nothing worked. I eventually recompiled PHP with the patch.</div><div><br></div><div>It *is* a security bug, because it forces people who do not have either the patience or the knowledge to recompile the package with the patch to turn off SSL between their web and DB server. The other option is to downgrade PHP to an earlier version which also has security implications.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 2, 2015 at 11:51 AM, Ondřej Surý <span dir="ltr"><<a href="mailto:ondrej@sury.org" target="_blank">ondrej@sury.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Control: tags -1 -security<br>
Control: severity -1 normal<br>
<br>
Hi Adam,<br>
<br>
is there a problem to generate a self-signed certificate that matches<br>
the name of the server? If that's the only problem it could be easily<br>
solved by that. Also there exists a viable workaround, just install<br>
php5-mysql instead of php5-mysqlnd, thus I am lowering the severity of<br>
the bug.<br>
<br>
Also I am removing security tag because in fact this is not a security<br>
bug since it doesn't lower the security of TLS (quite the opposite).<br>
<br>
Cheers,<br>
Ondrej<br>
<br>
On Wed, Sep 2, 2015, at 18:19, Adam McKenna wrote:<br>
> Package: php5-mysqlnd<br>
> Version: 5.6.12+dfsg-0+deb8u1<br>
> Severity: important<br>
> Tags: security upstream patch<br>
><br>
> <a href="https://bugs.php.net/bug.php?id=68344" rel="noreferrer" target="_blank">https://bugs.php.net/bug.php?id=68344</a><br>
><br>
> Description:<br>
> ------------<br>
> When the MySQLi extension is compiled against mysqlnd there is no method<br>
> to disable peer_name validation. Since MySQL 5.6 now enables peer_name<br>
> validation by DEFAULT those of us connecting to servers with self-signed<br>
> certs via SSL are no longer able too.<br>
><br>
> I have tried to signal the default ssl stream context to disable<br>
> peer_name validation but mysqli extension will NOT honor it.<br>
><br>
> If the remote-server's name does not match the name you are connecting to<br>
> (as in, for example, a mysql cluster and connecting to a single node<br>
> directly) you will not be able to connect at all in any way shape or form<br>
> with mysqli. -- The old mysql extension is not effected by this change<br>
> as it honors the my.cnf mysql client's validation settings.<br>
><br>
> Test script:<br>
> ---------------<br>
> <?php<br>
><br>
> stream_context_set_default(array(<br>
> 'ssl' => array(<br>
> 'peer_name' => 'generic-server',<br>
> 'verify_peer' => FALSE,<br>
> 'verify_peer_name' => FALSE,<br>
> 'allow_self_signed' => TRUE,<br>
> ),<br>
> ));<br>
><br>
> $mysqli = mysqli_init();<br>
> mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);<br>
> $conn =<br>
> mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);<br>
> var_dump($conn);<br>
><br>
> ?><br>
><br>
><br>
> Expected result:<br>
> ----------------<br>
> I expect to be able to disable peer_name validation for those situations<br>
> were the certificate name cant possibly be verified (ie: self-signed<br>
> certs) and be able to connect to the mysql server.<br>
><br>
> Actual result:<br>
> --------------<br>
> MySQLi will NOT connect to mysql server and throws 4 warnings:<br>
><br>
> Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did<br>
> not match expected CN=`dbserver.local'<br>
> Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL<br>
> Warning: mysqli_real_connect(): [2002] (trying to connect via<br>
> tcp://dbserver.local:3306)<br>
> Warning: mysqli_real_connect(): (HY000/2002):<br>
><br>
> Patch:<br>
><br>
> ; obey few default context options<br>
> ; <a href="https://bugs.php.net/bug.php?id=68344" rel="noreferrer" target="_blank">https://bugs.php.net/bug.php?id=68344</a><br>
> diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c<br>
> php-5.6.12/ext/mysqlnd/mysqlnd_net.c<br>
> --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-06<br>
> 09:55:57.000000000 +0200<br>
> +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-10<br>
> 13:25:30.187912101 +0200<br>
> @@ -29,6 +29,7 @@<br>
> #include "mysqlnd_ext_plugin.h"<br>
> #include "php_network.h"<br>
> #include "zend_ini.h"<br>
> +#include "ext/standard/file.h"<br>
> #ifdef MYSQLND_COMPRESSION_ENABLED<br>
> #include <zlib.h><br>
> #endif<br>
> @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(<br>
> DBG_RETURN(FAIL);<br>
> }<br>
><br>
> + if (FG(default_context)) {<br>
> + zval **tmpzval = NULL;<br>
> + int i = 0;<br>
> + /* copy values from default stream settings */<br>
> + char *opts[] = { "allow_self_signed", "cafile", "capath",<br>
> "ciphers", "CN_match",<br>
> + "disable_compression", "local_cert", "local_pk",<br>
> "no_ticket", "passphrase",<br>
> + "peer_fingerprint", "peer_name", "SNI_enabled",<br>
> "SNI_server_certs", "SNI_server_name",<br>
> + "verify_depth", "verify_peer",<br>
> "verify_peer_name", NULL };<br>
> + while (opts[i]) {<br>
> + if<br>
> (php_stream_context_get_option(FG(default_context), "ssl", opts[i],<br>
> &tmpzval) == SUCCESS)<br>
> + php_stream_context_set_option(context,<br>
> "ssl", opts[i], *tmpzval);<br>
> + i++;<br>
> + }<br>
> + }<br>
> +<br>
> if (net->data->options.ssl_key) {<br>
> zval key_zval;<br>
> ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);<br>
><br>
> -- Package-specific info:<br>
> ==== Additional PHP 5 information ====<br>
><br>
> ++++ PHP 5 SAPI (php5query -S): ++++<br>
> fpm<br>
> cli<br>
><br>
> ++++ PHP 5 Extensions (php5query -M -v): ++++<br>
> pdo (Enabled for fpm by maintainer script)<br>
> pdo (Enabled for cli by maintainer script)<br>
> readline (Enabled for fpm by maintainer script)<br>
> readline (Enabled for cli by maintainer script)<br>
> pdo_mysql (Enabled for fpm by maintainer script)<br>
> pdo_mysql (Enabled for cli by maintainer script)<br>
> json (Enabled for fpm by maintainer script)<br>
> json (Enabled for cli by maintainer script)<br>
> memcached (Enabled for fpm by local administrator)<br>
> memcached (Enabled for cli by local administrator)<br>
> mysqli (Enabled for fpm by maintainer script)<br>
> mysqli (Enabled for cli by maintainer script)<br>
> opcache (Enabled for fpm by maintainer script)<br>
> opcache (Enabled for cli by maintainer script)<br>
> mysql (Enabled for fpm by maintainer script)<br>
> mysql (Enabled for cli by maintainer script)<br>
> curl (Enabled for fpm by maintainer script)<br>
> curl (Enabled for cli by maintainer script)<br>
> mysqlnd (Enabled for fpm by maintainer script)<br>
> mysqlnd (Enabled for cli by maintainer script)<br>
> redis (Enabled for fpm by maintainer script)<br>
> redis (Enabled for cli by maintainer script)<br>
><br>
> ++++ Configuration files: ++++<br>
> **** /etc/php5/mods-available/mysqlnd.ini ****<br>
> extension=mysqlnd.so<br>
><br>
> **** /etc/php5/mods-available/mysql.ini ****<br>
> extension=mysql.so<br>
><br>
> **** /etc/php5/mods-available/mysqli.ini ****<br>
> extension=mysqli.so<br>
><br>
> **** /etc/php5/mods-available/pdo_mysql.ini ****<br>
> extension=pdo_mysql.so<br>
><br>
><br>
> -- System Information:<br>
> Debian Release: 8.1<br>
> APT prefers stable-updates<br>
> APT policy: (500, 'stable-updates'), (500, 'stable')<br>
> Architecture: amd64 (x86_64)<br>
><br>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)<br>
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)<br>
> Shell: /bin/sh linked to /bin/dash<br>
> Init: systemd (via /run/systemd/system)<br>
><br>
> Versions of packages php5-mysqlnd depends on:<br>
> ii libc6 2.19-18<br>
> ii php5-common [phpapi-20131226] 5.6.12+dfsg-0+deb8u1<br>
> ii ucf 3.0030<br>
><br>
> php5-mysqlnd recommends no packages.<br>
><br>
> php5-mysqlnd suggests no packages.<br>
><br>
> Versions of packages php5-common depends on:<br>
> ii libc6 2.19-18<br>
> ii lsof 4.86+dfsg-1<br>
> ii psmisc 22.21-2<br>
> ii sed 4.2.2-4+b1<br>
> ii ucf 3.0030<br>
><br>
> Versions of packages php5-common suggests:<br>
> pn php5-user-cache <none><br>
><br>
> Versions of packages php5-cli depends on:<br>
> ii libbz2-1.0 1.0.6-7+b3<br>
> ii libc6 2.19-18<br>
> ii libcomerr2 1.42.12-1.1<br>
> ii libdb5.3 5.3.28-9<br>
> ii libedit2 3.1-20140620-2<br>
> ii libgssapi-krb5-2 1.12.1+dfsg-19<br>
> ii libk5crypto3 1.12.1+dfsg-19<br>
> ii libkrb5-3 1.12.1+dfsg-19<br>
> ii libmagic1 1:5.22+15-2<br>
> ii libonig2 5.9.5-3.2<br>
> ii libpcre3 2:8.35-3.3<br>
> ii libqdbm14 1.8.78-5+b1<br>
> ii libssl1.0.0 1.0.1k-3+deb8u1<br>
> ii libxml2 2.9.1+dfsg1-5<br>
> ii mime-support 3.58<br>
> ii php5-common 5.6.12+dfsg-0+deb8u1<br>
> ii php5-json 1.3.6-1<br>
> ii tzdata 2015f-0+deb8u1<br>
> ii ucf 3.0030<br>
> ii zlib1g 1:1.2.8.dfsg-2+b1<br>
><br>
> Versions of packages php5-cli recommends:<br>
> ii php5-readline 5.6.12+dfsg-0+deb8u1<br>
><br>
> Versions of packages php5-cli suggests:<br>
> pn php-pear <none><br>
><br>
> Versions of packages php5-fpm depends on:<br>
> ii init-system-helpers 1.22<br>
> ii libapparmor1 2.9.0-3<br>
> ii libbz2-1.0 1.0.6-7+b3<br>
> ii libc6 2.19-18<br>
> ii libcomerr2 1.42.12-1.1<br>
> ii libdb5.3 5.3.28-9<br>
> ii libgssapi-krb5-2 1.12.1+dfsg-19<br>
> ii libk5crypto3 1.12.1+dfsg-19<br>
> ii libkrb5-3 1.12.1+dfsg-19<br>
> ii libmagic1 1:5.22+15-2<br>
> ii libonig2 5.9.5-3.2<br>
> ii libpcre3 2:8.35-3.3<br>
> ii libqdbm14 1.8.78-5+b1<br>
> ii libssl1.0.0 1.0.1k-3+deb8u1<br>
> ii libsystemd0 215-17+deb8u1<br>
> ii libxml2 2.9.1+dfsg1-5<br>
> ii mime-support 3.58<br>
> ii php5-cli 5.6.12+dfsg-0+deb8u1<br>
> ii php5-common 5.6.12+dfsg-0+deb8u1<br>
> ii php5-json 1.3.6-1<br>
> ii tzdata 2015f-0+deb8u1<br>
> ii ucf 3.0030<br>
> ii zlib1g 1:1.2.8.dfsg-2+b1<br>
><br>
> Versions of packages php5-fpm suggests:<br>
> pn php-pear <none><br>
><br>
> -- no debconf information<br>
><br>
> _______________________________________________<br>
> pkg-php-maint mailing list<br>
> <a href="mailto:pkg-php-maint@lists.alioth.debian.org">pkg-php-maint@lists.alioth.debian.org</a><br>
> <a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint" rel="noreferrer" target="_blank">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint</a><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Ondřej Surý <<a href="mailto:ondrej@sury.org">ondrej@sury.org</a>><br>
Knot DNS (<a href="https://www.knot-dns.cz/" rel="noreferrer" target="_blank">https://www.knot-dns.cz/</a>) – a high-performance DNS server<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div><font face="verdana, sans-serif" size="2">BTC: 1D8AM4aXWEbCX3RcemZjZBxB6X1uqhthqY LTC: LVtDsd9cWFU5ueQsJ5nNFgBRTghPUV4isg</font></div><div><b><font color="#ff0000" face="verdana, sans-serif"><a href="https://www.multipool.us" target="_blank">https://www.multipool.us</a> - Always mine the most profitable coin - Now with SHA-256 ASIC Multiport!</font></b></div></div></div></div>
</div>