[phpMyAdmin Developers] Connect with SSL

Kordován Szabolcs koszab at gmail.com
Thu Jun 2 14:24:50 CEST 2016 

Hi,

I had a problem with secure connection to sql server.
I use mysqli extension, I configured server['ssl'] = true. I have a user
'szabolcs' in sql who needs ssl.
First I received 'mysqli_real_connect(): (HY000/1045): Access denied for
user 'szabolcs'@'localhost' (using password: YES)'.
That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to
$client_flags.

After this I got the following error:'mysqli_query(): SSL operation failed
with code 1. OpenSSL Error messages: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length
error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
PMA uses openssel functions to encrypt values in cookie if openssl
functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA works
fine.
I don't know the exact source of this problem. I think openssl functions
have a bug.
Because the mysqli connection with ssl is successful  After connection in
common.inc.php $auth_plugin->storeUserCredentials() is called. This
function stores the username and password and other parameters into cookie.
To encrypt:
openssl_encrypt(
                $data,
                'AES-128-CBC',
                $secret,
                0,
                $this->_cookie_iv
            );
I think the problem is that openssl_encrypt change the cipher to
AES-128-CBC globally. It means the cipher of mysqli connection is also
modified. This is why mysqli_query failed after encryption.

Here is my solution:

diff -ruN original/libraries/dbi/DBIMysqli.php
working/libraries/dbi/DBIMysqli.php
--- original/libraries/dbi/DBIMysqli.php        2016-05-25
19:07:44.000000000 +0200
+++ working/libraries/dbi/DBIMysqli.php 2016-05-26 15:55:49.000000000 +0200
@@ -152,6 +152,7 @@

         /* Optionally enable SSL */
         if ($cfg['Server']['ssl']) {
+           $client_flags |= MYSQLI_CLIENT_SSL;
             mysqli_ssl_set(
                 $link,
                 $cfg['Server']['ssl_key'],
diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php
working/libraries/plugins/auth/AuthenticationCookie.php
--- original/libraries/plugins/auth/AuthenticationCookie.php    2016-05-25
19:07:44.000000000 +0200
+++ working/libraries/plugins/auth/AuthenticationCookie.php     2016-05-26
15:56:27.000000000 +0200
@@ -661,6 +661,7 @@
      */
     public static function useOpenSSL()
     {
+       return false;
         return (
             function_exists('openssl_encrypt')
             && function_exists('openssl_decrypt')
diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1
--- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100
+++ working/RELEASE-DATE-4.6.1  2016-05-02 17:24:00.000000000 +0200
@@ -0,0 +1 @@
+Mon May  2 21:23:35 UTC 2016

Regards,
Szabolcs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.phpmyadmin.net/pipermail/developers/attachments/20160602/ae9352bd/attachment.html>

More information about the Developers mailing list