[phpMyAdmin Developers] Connect with SSL

Isaac Bennetch bennetch at gmail.com
Thu Jun 9 05:15:41 CEST 2016 

Hello Kordován Szabolcs,

As noted in the issue tracker at
https://github.com/phpmyadmin/phpmyadmin/issues/12293 Michal has made
some improvements here.

Would you be able to test these changes and report back if it helps the
situation? If you don't use the git version, you can download an updated
snapshot from https://github.com/phpmyadmin/phpmyadmin/archive/master.zip

Thanks
Isaac

On 6/4/16 4:45 PM, Isaac Bennetch wrote:
> I think it's easier to track this in the issue tracker than on the
> mailing list, so we can track progress as a team. I've opened an issue
> at https://github.com/phpmyadmin/phpmyadmin/issues/12293
> 
> On 6/3/16 2:50 AM, Kordován Szabolcs wrote:
>> Hi,
>>
>> Sorry for delay.
>> I forgot the versions:
>> Database server
>>
>> Server: fone2 (127.0.0.1 via TCP/IP)
>> Server type: MySQL
>> Server version: 5.7.12-0ubuntu1 - (Ubuntu)
>> Protocol version: 10
>> User: szabolcs at localhost
>> Server charset: UTF-8 Unicode (utf8)
>> Web server
>>
>> Apache/2.4.18 (Ubuntu)
>> Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407 - $Id:
>> f59eb767fe17a6679589b5c076d9fa88d3d4eac0 $
>> PHP extension: mysqli curl mbstring
>> PHP version: 7.0.4-7ubuntu2.1
>>
>> openssl
>>
>> OpenSSL supportenabled
>> OpenSSL Library VersionOpenSSL 1.0.2g-fips 1 Mar 2016
>> OpenSSL Header VersionOpenSSL 1.0.2g-fips 1 Mar 2016
>> Openssl default config/usr/lib/ssl/openssl.cnf
>>
>>
>> If you have to authenticate with certification you use mysqli_ssl_set().
>> In this case you need private key and certification. But if you want
>> only a secure communication (like https) you don't need these. Only need
>> mysqli_client_ssl flag to use ssl.
>> From mysql log:
>> 2016-06-03T06:02:02.098148Z11604 Connect        szabolcs at xxx.xxx.xxx.xxx
>> on  using SSL/TLS
>>
>> Regards,
>> Szabolcs
>>
>>     Date: Thu, 2 Jun 2016 09:16:40 -0400
>>     From: Isaac Bennetch <bennetch at gmail.com <mailto:bennetch at gmail.com>>
>>     To: Developer discussion for phpMyAdmin <developers at phpmyadmin.net
>>     <mailto:developers at phpmyadmin.net>>
>>     Subject: Re: [phpMyAdmin Developers] Connect with SSL
>>     Message-ID: <dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com
>>     <mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com>>
>>     Content-Type: text/plain; charset=utf-8
>>
>>     Hi, thanks for your report and detailed research. Please see below...
>>
>>     On 6/2/16 8:24 AM, Kordován Szabolcs wrote:
>>     > Hi,
>>     >
>>     > I had a problem with secure connection to sql server.
>>     > I use mysqli extension, I configured server['ssl'] = true. I have
>>     a user
>>     > 'szabolcs' in sql who needs ssl.
>>     > First I received 'mysqli_real_connect(): (HY000/1045): Access
>>     denied for
>>     > user 'szabolcs'@'localhost' (using password: YES)'.
>>     > That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to
>>     > $client_flags.
>>
>>     As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling
>>     mysql_ssl_set() before mysqli_real_connect(). The current documentation
>>     doesn't reference this scenario at all, but previous versions did state
>>     that MYSQLI_CLIENT_SSL was not required here (see, for example, [1]).
>>
>>     > After this I got the following error:'mysqli_query(): SSL operation
>>     > failed with code 1. OpenSSL Error messages: error:0607A082:digital
>>     > envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
>>     > error:0607A082:digital envelope
>>     > routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
>>     >
>>     > PMA uses openssel functions to encrypt values in cookie if openssl
>>     > functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA
>>     works
>>     > fine.
>>     > I don't know the exact source of this problem. I think openssl
>>     functions
>>     > have a bug.
>>
>>     There was some incompatibility between MySQL and OpenSSL (see [2]),
>>     however the error reported was a bit different.
>>
>>     > Because the mysqli connection with ssl is successful  After connection
>>     > in common.inc.php $auth_plugin->storeUserCredentials() is called. This
>>     > function stores the username and password and other parameters into
>>     > cookie. To encrypt:
>>     > openssl_encrypt(
>>     >                 $data,
>>     >                 'AES-128-CBC',
>>     >                 $secret,
>>     >                 0,
>>     >                 $this->_cookie_iv
>>     >             );
>>     > I think the problem is that openssl_encrypt change the cipher to
>>     > AES-128-CBC globally. It means the cipher of mysqli connection is also
>>     > modified. This is why mysqli_query failed after encryption.
>>
>>     Interesting.
>>
>>     > Here is my solution:
>>     >
>>     > diff -ruN original/libraries/dbi/DBIMysqli.php
>>     > working/libraries/dbi/DBIMysqli.php
>>     > --- original/libraries/dbi/DBIMysqli.php        2016-05-25
>>     > 19:07:44.000000000 +0200
>>     > +++ working/libraries/dbi/DBIMysqli.php 2016-05-26
>>     15:55:49.000000000 +0200
>>     > @@ -152,6 +152,7 @@
>>     >
>>     >          /* Optionally enable SSL */
>>     >          if ($cfg['Server']['ssl']) {
>>     > +           $client_flags |= MYSQLI_CLIENT_SSL;
>>     >              mysqli_ssl_set(
>>     >                  $link,
>>     >                  $cfg['Server']['ssl_key'],
>>     > diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php
>>     > working/libraries/plugins/auth/AuthenticationCookie.php
>>     > --- original/libraries/plugins/auth/AuthenticationCookie.php
>>     >  2016-05-25 19:07:44.000000000 +0200
>>     > +++ working/libraries/plugins/auth/AuthenticationCookie.php
>>     > 2016-05-26 15:56:27.000000000 +0200
>>     > @@ -661,6 +661,7 @@
>>     >       */
>>     >      public static function useOpenSSL()
>>     >      {
>>     > +       return false;
>>
>>     This also makes me think about some sort of OpenSSL problem.
>>
>>     >          return (
>>     >              function_exists('openssl_encrypt')
>>     >              && function_exists('openssl_decrypt')
>>     > diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1
>>     > --- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000 +0100
>>     > +++ working/RELEASE-DATE-4.6.1  2016-05-02 17:24:00.000000000 +0200
>>     > @@ -0,0 +1 @@
>>     > +Mon May  2 21:23:35 UTC 2016
>>     >
>>     > Regards,
>>     > Szabolcs
>>     >
>>     >
>>     > _______________________________________________
>>     > Developers mailing list
>>     > Developers at phpmyadmin.net <mailto:Developers at phpmyadmin.net>
>>     > https://lists.phpmyadmin.net/mailman/listinfo/developers
>>
>>     >From phpinfo() could you please provide your OpenSSL version? Mine is
>>     1.0.1k.
>>
>>     >From the main page of phpMyAdmin, could you please provide "Database
>>     client version", "PHP extension", and "PHP version" information? (Mine
>>     is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )
>>
>>     Regards,
>>     Isaac
>>
>>
>>     1 -
>>     http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQL-using-SSL&s=f12add2a512f61180c75efc107856c04&p=10998575&viewfull=1#post10998575
>>     2 - https://bugs.mysql.com/bug.php?id=64870
>>
>>
>>
>>
>>
>> _______________________________________________
>> Developers mailing list
>> Developers at phpmyadmin.net
>> https://lists.phpmyadmin.net/mailman/listinfo/developers
>>

More information about the Developers mailing list