Hi, thanks for your report and detailed research. Please see below...

On 6/2/16 8:24 AM, Kordován Szabolcs wrote:

Hi,

I had a problem with secure connection to sql server. I use mysqli extension, I configured server['ssl'] = true. I have a user 'szabolcs' in sql who needs ssl. First I received 'mysqli_real_connect(): (HY000/1045): Access denied for user 'szabolcs'@'localhost' (using password: YES)'. That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to $client_flags.

As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling mysql_ssl_set() before mysqli_real_connect(). The current documentation doesn't reference this scenario at all, but previous versions did state that MYSQLI_CLIENT_SSL was not required here (see, for example, [1]).

After this I got the following error:'mysqli_query(): SSL operation failed with code 1. OpenSSL Error messages: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.

PMA uses openssel functions to encrypt values in cookie if openssl functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA works fine. I don't know the exact source of this problem. I think openssl functions have a bug.

There was some incompatibility between MySQL and OpenSSL (see [2]), however the error reported was a bit different.

Because the mysqli connection with ssl is successful After connection in common.inc.php $auth_plugin->storeUserCredentials() is called. This function stores the username and password and other parameters into cookie. To encrypt: openssl_encrypt( $data, 'AES-128-CBC', $secret, 0, $this->_cookie_iv ); I think the problem is that openssl_encrypt change the cipher to AES-128-CBC globally. It means the cipher of mysqli connection is also modified. This is why mysqli_query failed after encryption.

Interesting.

Here is my solution:

diff -ruN original/libraries/dbi/DBIMysqli.php working/libraries/dbi/DBIMysqli.php --- original/libraries/dbi/DBIMysqli.php 2016-05-25 19:07:44.000000000 +0200 +++ working/libraries/dbi/DBIMysqli.php 2016-05-26 15:55:49.000000000 +0200 @@ -152,6 +152,7 @@

     /* Optionally enable SSL */
     if ($cfg['Server']['ssl']) {

•       $client_flags |= MYSQLI_CLIENT_SSL;
         mysqli_ssl_set(
             $link,
             $cfg['Server']['ssl_key'],
  

diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php working/libraries/plugins/auth/AuthenticationCookie.php --- original/libraries/plugins/auth/AuthenticationCookie.php 2016-05-25 19:07:44.000000000 +0200 +++ working/libraries/plugins/auth/AuthenticationCookie.php 2016-05-26 15:56:27.000000000 +0200 @@ -661,6 +661,7 @@ */ public static function useOpenSSL() {

•   return false;
  

This also makes me think about some sort of OpenSSL problem.

     return (
         function_exists('openssl_encrypt')
         && function_exists('openssl_decrypt')

diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1 --- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100 +++ working/RELEASE-DATE-4.6.1 2016-05-02 17:24:00.000000000 +0200 @@ -0,0 +1 @@ +Mon May 2 21:23:35 UTC 2016

Regards, Szabolcs

---

Developers mailing list Developers@phpmyadmin.net https://lists.phpmyadmin.net/mailman/listinfo/developers

From phpinfo() could you please provide your OpenSSL version? Mine is

1.0.1k.

From the main page of phpMyAdmin, could you please provide "Database

client version", "PHP extension", and "PHP version" information? (Mine is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )

Regards, Isaac

1 - http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQL... 2 - https://bugs.mysql.com/bug.php?id=64870