[phpMyAdmin Developers] Connect with SSL

Kordován Szabolcs koszab at gmail.com
Fri Jun 3 08:50:46 CEST 2016 

Hi,

Sorry for delay.
I forgot the versions:
Database server

Server: fone2 (127.0.0.1 via TCP/IP)
Server type: MySQL
Server version: 5.7.12-0ubuntu1 - (Ubuntu)
Protocol version: 10
User: szabolcs at localhost
Server charset: UTF-8 Unicode (utf8)
Web server

Apache/2.4.18 (Ubuntu)
Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407 - $Id:
f59eb767fe17a6679589b5c076d9fa88d3d4eac0 $
PHP extension: mysqli curl mbstring
PHP version: 7.0.4-7ubuntu2.1

openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.2g-fips 1 Mar 2016
OpenSSL Header Version OpenSSL 1.0.2g-fips 1 Mar 2016
Openssl default config /usr/lib/ssl/openssl.cnf


If you have to authenticate with certification you use mysqli_ssl_set(). In
this case you need private key and certification. But if you want only a
secure communication (like https) you don't need these. Only need
mysqli_client_ssl flag to use ssl.
>From mysql log:
2016-06-03T06:02:02.098148Z11604 Connect        szabolcs at xxx.xxx.xxx.xxx on
 using SSL/TLS

Regards,
Szabolcs

Date: Thu, 2 Jun 2016 09:16:40 -0400
> From: Isaac Bennetch <bennetch at gmail.com>
> To: Developer discussion for phpMyAdmin <developers at phpmyadmin.net>
> Subject: Re: [phpMyAdmin Developers] Connect with SSL
> Message-ID: <dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> Hi, thanks for your report and detailed research. Please see below...
>
> On 6/2/16 8:24 AM, Kordován Szabolcs wrote:
> > Hi,
> >
> > I had a problem with secure connection to sql server.
> > I use mysqli extension, I configured server['ssl'] = true. I have a user
> > 'szabolcs' in sql who needs ssl.
> > First I received 'mysqli_real_connect(): (HY000/1045): Access denied for
> > user 'szabolcs'@'localhost' (using password: YES)'.
> > That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to
> > $client_flags.
>
> As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling
> mysql_ssl_set() before mysqli_real_connect(). The current documentation
> doesn't reference this scenario at all, but previous versions did state
> that MYSQLI_CLIENT_SSL was not required here (see, for example, [1]).
>
> > After this I got the following error:'mysqli_query(): SSL operation
> > failed with code 1. OpenSSL Error messages: error:0607A082:digital
> > envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
> > error:0607A082:digital envelope
> > routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
> >
> > PMA uses openssel functions to encrypt values in cookie if openssl
> > functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA works
> > fine.
> > I don't know the exact source of this problem. I think openssl functions
> > have a bug.
>
> There was some incompatibility between MySQL and OpenSSL (see [2]),
> however the error reported was a bit different.
>
> > Because the mysqli connection with ssl is successful  After connection
> > in common.inc.php $auth_plugin->storeUserCredentials() is called. This
> > function stores the username and password and other parameters into
> > cookie. To encrypt:
> > openssl_encrypt(
> >                 $data,
> >                 'AES-128-CBC',
> >                 $secret,
> >                 0,
> >                 $this->_cookie_iv
> >             );
> > I think the problem is that openssl_encrypt change the cipher to
> > AES-128-CBC globally. It means the cipher of mysqli connection is also
> > modified. This is why mysqli_query failed after encryption.
>
> Interesting.
>
> > Here is my solution:
> >
> > diff -ruN original/libraries/dbi/DBIMysqli.php
> > working/libraries/dbi/DBIMysqli.php
> > --- original/libraries/dbi/DBIMysqli.php        2016-05-25
> > 19:07:44.000000000 +0200
> > +++ working/libraries/dbi/DBIMysqli.php 2016-05-26 15:55:49.000000000
> +0200
> > @@ -152,6 +152,7 @@
> >
> >          /* Optionally enable SSL */
> >          if ($cfg['Server']['ssl']) {
> > +           $client_flags |= MYSQLI_CLIENT_SSL;
> >              mysqli_ssl_set(
> >                  $link,
> >                  $cfg['Server']['ssl_key'],
> > diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php
> > working/libraries/plugins/auth/AuthenticationCookie.php
> > --- original/libraries/plugins/auth/AuthenticationCookie.php
> >  2016-05-25 19:07:44.000000000 +0200
> > +++ working/libraries/plugins/auth/AuthenticationCookie.php
> > 2016-05-26 15:56:27.000000000 +0200
> > @@ -661,6 +661,7 @@
> >       */
> >      public static function useOpenSSL()
> >      {
> > +       return false;
>
> This also makes me think about some sort of OpenSSL problem.
>
> >          return (
> >              function_exists('openssl_encrypt')
> >              && function_exists('openssl_decrypt')
> > diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1
> > --- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100
> > +++ working/RELEASE-DATE-4.6.1  2016-05-02 17:24:00.000000000 +0200
> > @@ -0,0 +1 @@
> > +Mon May  2 21:23:35 UTC 2016
> >
> > Regards,
> > Szabolcs
> >
> >
> > _______________________________________________
> > Developers mailing list
> > Developers at phpmyadmin.net
> > https://lists.phpmyadmin.net/mailman/listinfo/developers
>
> >From phpinfo() could you please provide your OpenSSL version? Mine is
> 1.0.1k.
>
> >From the main page of phpMyAdmin, could you please provide "Database
> client version", "PHP extension", and "PHP version" information? (Mine
> is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )
>
> Regards,
> Isaac
>
>
> 1 -
>
> http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQL-using-SSL&s=f12add2a512f61180c75efc107856c04&p=10998575&viewfull=1#post10998575
> 2 - https://bugs.mysql.com/bug.php?id=64870
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.phpmyadmin.net/pipermail/developers/attachments/20160603/e4e67507/attachment.html>

More information about the Developers mailing list