Re: [phpMyAdmin Developers] Connect with SSL

I think it's easier to track this in the issue tracker than on the mailing list, so we can track progress as a team. I've opened an issue at https://github.com/phpmyadmin/phpmyadmin/issues/12293 On 6/3/16 2:50 AM, Kordován Szabolcs wrote: > Hi, > > Sorry for delay. > I forgot the versions: > Database server > > Server: fone2 (127.0.0.1 via TCP/IP) > Server type: MySQL > Server version: 5.7.12-0ubuntu1 - (Ubuntu) > Protocol version: 10 > User: szabolcs@localhost > Server charset: UTF-8 Unicode (utf8) > Web server > > Apache/2.4.18 (Ubuntu) > Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407 - $Id: > f59eb767fe17a6679589b5c076d9fa88d3d4eac0 $ > PHP extension: mysqli curl mbstring > PHP version: 7.0.4-7ubuntu2.1 > > openssl > > OpenSSL supportenabled > OpenSSL Library VersionOpenSSL 1.0.2g-fips 1 Mar 2016 > OpenSSL Header VersionOpenSSL 1.0.2g-fips 1 Mar 2016 > Openssl default config/usr/lib/ssl/openssl.cnf > > > If you have to authenticate with certification you use mysqli_ssl_set(). > In this case you need private key and certification. But if you want > only a secure communication (like https) you don't need these. Only need > mysqli_client_ssl flag to use ssl. > From mysql log: > 2016-06-03T06:02:02.098148Z11604 Connect szabolcs(a)xxx.xxx.xxx.xxx > on using SSL/TLS > > Regards, > Szabolcs > > Date: Thu, 2 Jun 2016 09:16:40 -0400 > From: Isaac Bennetch &lt;bennetch(a)gmail.com <mailto:bennetch@gmail.com>> > To: Developer discussion for phpMyAdmin &lt;developers(a)phpmyadmin.net > <mailto:developers@phpmyadmin.net>> > Subject: Re: [phpMyAdmin Developers] Connect with SSL > Message-ID: &lt;dc965fae-89cf-26a0-d22a-c3b7fab3f561(a)gmail.com > <mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561@gmail.com>> > Content-Type: text/plain; charset=utf-8 > > Hi, thanks for your report and detailed research. Please see below... > > On 6/2/16 8:24 AM, Kordován Szabolcs wrote: > > Hi, > > > > I had a problem with secure connection to sql server. > > I use mysqli extension, I configured server['ssl'] = true. I have > a user > > 'szabolcs' in sql who needs ssl. > > First I received 'mysqli_real_connect(): (HY000/1045): Access > denied for > > user 'szabolcs'@'localhost' (using password: YES)'. > > That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to > > $client_flags. > > As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling > mysql_ssl_set() before mysqli_real_connect(). The current documentation > doesn't reference this scenario at all, but previous versions did state > that MYSQLI_CLIENT_SSL was not required here (see, for example, [1]). > > > After this I got the following error:'mysqli_query(): SSL operation > > failed with code 1. OpenSSL Error messages: error:0607A082:digital > > envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length > > error:0607A082:digital envelope > > routines:EVP_CIPHER_CTX_set_key_length:invalid key length'. > > > > PMA uses openssel functions to encrypt values in cookie if openssl > > functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA > works > > fine. > > I don't know the exact source of this problem. I think openssl > functions > > have a bug. > > There was some incompatibility between MySQL and OpenSSL (see [2]), > however the error reported was a bit different. > > > Because the mysqli connection with ssl is successful After connection > > in common.inc.php $auth_plugin->storeUserCredentials() is called. This > > function stores the username and password and other parameters into > > cookie. To encrypt: > > openssl_encrypt( > > $data, > > 'AES-128-CBC', > > $secret, > > 0, > > $this->_cookie_iv > > ); > > I think the problem is that openssl_encrypt change the cipher to > > AES-128-CBC globally. It means the cipher of mysqli connection is also > > modified. This is why mysqli_query failed after encryption. > > Interesting. > > > Here is my solution: > > > > diff -ruN original/libraries/dbi/DBIMysqli.php > > working/libraries/dbi/DBIMysqli.php > > --- original/libraries/dbi/DBIMysqli.php 2016-05-25 > > 19:07:44.000000000 +0200 > > +++ working/libraries/dbi/DBIMysqli.php 2016-05-26 > 15:55:49.000000000 +0200 > > @@ -152,6 +152,7 @@ > > > > /* Optionally enable SSL */ > > if ($cfg['Server']['ssl']) { > > + $client_flags |= MYSQLI_CLIENT_SSL; > > mysqli_ssl_set( > > $link, > > $cfg['Server']['ssl_key'], > > diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php > > working/libraries/plugins/auth/AuthenticationCookie.php > > --- original/libraries/plugins/auth/AuthenticationCookie.php > > 2016-05-25 19:07:44.000000000 +0200 > > +++ working/libraries/plugins/auth/AuthenticationCookie.php > > 2016-05-26 15:56:27.000000000 +0200 > > @@ -661,6 +661,7 @@ > > */ > > public static function useOpenSSL() > > { > > + return false; > > This also makes me think about some sort of OpenSSL problem. > > > return ( > > function_exists('openssl_encrypt') > > && function_exists('openssl_decrypt') > > diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1 > > --- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100 > > +++ working/RELEASE-DATE-4.6.1 2016-05-02 17:24:00.000000000 +0200 > > @@ -0,0 +1 @@ > > +Mon May 2 21:23:35 UTC 2016 > > > > Regards, > > Szabolcs > > > > > > _______________________________________________ > > Developers mailing list > > Developers(a)phpmyadmin.net <mailto:Developers@phpmyadmin.net> > > https://lists.phpmyadmin.net/mailman/listinfo/developers > > >From phpinfo() could you please provide your OpenSSL version? Mine is > 1.0.1k. > > >From the main page of phpMyAdmin, could you please provide "Database > client version", "PHP extension", and "PHP version" information? (Mine > is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 ) > > Regards, > Isaac > > > 1 - > http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQ… > 2 - https://bugs.mysql.com/bug.php?id=64870 > > > > > > _______________________________________________ > Developers mailing list > Developers(a)phpmyadmin.net > https://lists.phpmyadmin.net/mailman/listinfo/developers >