[phpMyAdmin Developers] Connect with SSL
Isaac Bennetch
bennetch at gmail.com
Thu Jun 2 15:16:40 CEST 2016
Hi, thanks for your report and detailed research. Please see below...
On 6/2/16 8:24 AM, Kordován Szabolcs wrote:
> Hi,
>
> I had a problem with secure connection to sql server.
> I use mysqli extension, I configured server['ssl'] = true. I have a user
> 'szabolcs' in sql who needs ssl.
> First I received 'mysqli_real_connect(): (HY000/1045): Access denied for
> user 'szabolcs'@'localhost' (using password: YES)'.
> That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to
> $client_flags.
As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling
mysql_ssl_set() before mysqli_real_connect(). The current documentation
doesn't reference this scenario at all, but previous versions did state
that MYSQLI_CLIENT_SSL was not required here (see, for example, [1]).
> After this I got the following error:'mysqli_query(): SSL operation
> failed with code 1. OpenSSL Error messages: error:0607A082:digital
> envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
> error:0607A082:digital envelope
> routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
>
> PMA uses openssel functions to encrypt values in cookie if openssl
> functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA works
> fine.
> I don't know the exact source of this problem. I think openssl functions
> have a bug.
There was some incompatibility between MySQL and OpenSSL (see [2]),
however the error reported was a bit different.
> Because the mysqli connection with ssl is successful After connection
> in common.inc.php $auth_plugin->storeUserCredentials() is called. This
> function stores the username and password and other parameters into
> cookie. To encrypt:
> openssl_encrypt(
> $data,
> 'AES-128-CBC',
> $secret,
> 0,
> $this->_cookie_iv
> );
> I think the problem is that openssl_encrypt change the cipher to
> AES-128-CBC globally. It means the cipher of mysqli connection is also
> modified. This is why mysqli_query failed after encryption.
Interesting.
> Here is my solution:
>
> diff -ruN original/libraries/dbi/DBIMysqli.php
> working/libraries/dbi/DBIMysqli.php
> --- original/libraries/dbi/DBIMysqli.php 2016-05-25
> 19:07:44.000000000 +0200
> +++ working/libraries/dbi/DBIMysqli.php 2016-05-26 15:55:49.000000000 +0200
> @@ -152,6 +152,7 @@
>
> /* Optionally enable SSL */
> if ($cfg['Server']['ssl']) {
> + $client_flags |= MYSQLI_CLIENT_SSL;
> mysqli_ssl_set(
> $link,
> $cfg['Server']['ssl_key'],
> diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php
> working/libraries/plugins/auth/AuthenticationCookie.php
> --- original/libraries/plugins/auth/AuthenticationCookie.php
> 2016-05-25 19:07:44.000000000 +0200
> +++ working/libraries/plugins/auth/AuthenticationCookie.php
> 2016-05-26 15:56:27.000000000 +0200
> @@ -661,6 +661,7 @@
> */
> public static function useOpenSSL()
> {
> + return false;
This also makes me think about some sort of OpenSSL problem.
> return (
> function_exists('openssl_encrypt')
> && function_exists('openssl_decrypt')
> diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1
> --- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100
> +++ working/RELEASE-DATE-4.6.1 2016-05-02 17:24:00.000000000 +0200
> @@ -0,0 +1 @@
> +Mon May 2 21:23:35 UTC 2016
>
> Regards,
> Szabolcs
>
>
> _______________________________________________
> Developers mailing list
> Developers at phpmyadmin.net
> https://lists.phpmyadmin.net/mailman/listinfo/developers
>From phpinfo() could you please provide your OpenSSL version? Mine is
1.0.1k.
>From the main page of phpMyAdmin, could you please provide "Database
client version", "PHP extension", and "PHP version" information? (Mine
is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )
Regards,
Isaac
1 -
http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQL-using-SSL&s=f12add2a512f61180c75efc107856c04&p=10998575&viewfull=1#post10998575
2 - https://bugs.mysql.com/bug.php?id=64870
More information about the Developers
mailing list