I think it's easier to track this in the issue tracker than on the
mailing list, so we can track progress as a team. I've opened an issue
at
Hi,
Sorry for delay.
I forgot the versions:
Database server
Server: fone2 (127.0.0.1 via TCP/IP)
Server type: MySQL
Server version: 5.7.12-0ubuntu1 - (Ubuntu)
Protocol version: 10
User: szabolcs@localhost
Server charset: UTF-8 Unicode (utf8)
Web server
Apache/2.4.18 (Ubuntu)
Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407 - $Id:
f59eb767fe17a6679589b5c076d9fa88d3d4eac0 $
PHP extension: mysqli curl mbstring
PHP version: 7.0.4-7ubuntu2.1
openssl
OpenSSL supportenabled
OpenSSL Library VersionOpenSSL 1.0.2g-fips 1 Mar 2016
OpenSSL Header VersionOpenSSL 1.0.2g-fips 1 Mar 2016
Openssl default config/usr/lib/ssl/openssl.cnf
If you have to authenticate with certification you use mysqli_ssl_set().
In this case you need private key and certification. But if you want
only a secure communication (like https) you don't need these. Only need
mysqli_client_ssl flag to use ssl.
From mysql log:
2016-06-03T06:02:02.098148Z11604 Connect szabolcs(a)xxx.xxx.xxx.xxx
on using SSL/TLS
Regards,
Szabolcs
Date: Thu, 2 Jun 2016 09:16:40 -0400
From: Isaac Bennetch <bennetch(a)gmail.com <mailto:bennetch@gmail.com>>
To: Developer discussion for phpMyAdmin <developers(a)phpmyadmin.net
<mailto:developers@phpmyadmin.net>>
Subject: Re: [phpMyAdmin Developers] Connect with SSL
Message-ID: <dc965fae-89cf-26a0-d22a-c3b7fab3f561(a)gmail.com
<mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561@gmail.com>>
Content-Type: text/plain; charset=utf-8
Hi, thanks for your report and detailed research. Please see below...
On 6/2/16 8:24 AM, Kordován Szabolcs wrote:
Hi,
I had a problem with secure connection to sql server.
I use mysqli extension, I configured server['ssl'] = true. I have
a
user
'szabolcs' in sql who needs ssl.
First I received 'mysqli_real_connect(): (HY000/1045): Access
denied for
user 'szabolcs'@'localhost'
(using password: YES)'.
That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to
$client_flags.
As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling
mysql_ssl_set() before mysqli_real_connect(). The current documentation
doesn't reference this scenario at all, but previous versions did state
that MYSQLI_CLIENT_SSL was not required here (see, for example, [1]).
After this I got the following
error:'mysqli_query(): SSL operation
failed with code 1. OpenSSL Error messages: error:0607A082:digital
envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
PMA uses openssel functions to encrypt values in cookie if openssl
functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA
works
fine.
I don't know the exact source of this problem. I think openssl
functions
have a bug.
There was some incompatibility between MySQL and OpenSSL (see [2]),
however the error reported was a bit different.
Because the mysqli connection with ssl is
successful After connection
in common.inc.php $auth_plugin->storeUserCredentials() is called. This
function stores the username and password and other parameters into
cookie. To encrypt:
openssl_encrypt(
$data,
'AES-128-CBC',
$secret,
0,
$this->_cookie_iv
);
I think the problem is that openssl_encrypt change the cipher to
AES-128-CBC globally. It means the cipher of mysqli connection is also
modified. This is why mysqli_query failed after encryption.
Interesting.
Here is my solution:
diff -ruN original/libraries/dbi/DBIMysqli.php
working/libraries/dbi/DBIMysqli.php
--- original/libraries/dbi/DBIMysqli.php 2016-05-25
19:07:44.000000000 +0200
+++ working/libraries/dbi/DBIMysqli.php 2016-05-26
15:55:49.000000000 +0200
@@ -152,6 +152,7 @@
/* Optionally enable SSL */
if ($cfg['Server']['ssl']) {
+ $client_flags |= MYSQLI_CLIENT_SSL;
mysqli_ssl_set(
$link,
$cfg['Server']['ssl_key'],
diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php
working/libraries/plugins/auth/AuthenticationCookie.php
--- original/libraries/plugins/auth/AuthenticationCookie.php
2016-05-25 19:07:44.000000000 +0200
+++ working/libraries/plugins/auth/AuthenticationCookie.php
2016-05-26 15:56:27.000000000 +0200
@@ -661,6 +661,7 @@
*/
public static function useOpenSSL()
{
+ return false;
This also makes me think about some sort of OpenSSL problem.
return (
function_exists('openssl_encrypt')
&& function_exists('openssl_decrypt')
diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1
--- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100
+++ working/RELEASE-DATE-4.6.1 2016-05-02 17:24:00.000000000 +0200
@@ -0,0 +1 @@
+Mon May 2 21:23:35 UTC 2016
Regards,
Szabolcs
_______________________________________________
Developers mailing list
Developers(a)phpmyadmin.net <mailto:Developers@phpmyadmin.net>
https://lists.phpmyadmin.net/mailman/listinfo/developers
From phpinfo() could you please provide your
OpenSSL version? Mine is
1.0.1k.
From the main page of phpMyAdmin, could you please
provide "Database
client version", "PHP extension", and
"PHP version" information? (Mine
is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )
Regards,
Isaac
1 -
http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQ…
2 -
https://bugs.mysql.com/bug.php?id=64870
_______________________________________________
Developers mailing list
Developers(a)phpmyadmin.net
https://lists.phpmyadmin.net/mailman/listinfo/developers