[phpMyAdmin Developers] Connect with SSL
Kordován Szabolcs
koszab at gmail.com
Thu Jun 9 14:19:39 CEST 2016
Hello,
I tested this dev version and it works fine.
Thanks.
Regards,
Szablcs
2016-06-09 5:15 GMT+02:00 Isaac Bennetch <bennetch at gmail.com>:
> Hello Kordován Szabolcs,
>
> As noted in the issue tracker at
> https://github.com/phpmyadmin/phpmyadmin/issues/12293 Michal has made
> some improvements here.
>
> Would you be able to test these changes and report back if it helps the
> situation? If you don't use the git version, you can download an updated
> snapshot from https://github.com/phpmyadmin/phpmyadmin/archive/master.zip
>
> Thanks
> Isaac
>
> On 6/4/16 4:45 PM, Isaac Bennetch wrote:
> > I think it's easier to track this in the issue tracker than on the
> > mailing list, so we can track progress as a team. I've opened an issue
> > at https://github.com/phpmyadmin/phpmyadmin/issues/12293
> >
> > On 6/3/16 2:50 AM, Kordován Szabolcs wrote:
> >> Hi,
> >>
> >> Sorry for delay.
> >> I forgot the versions:
> >> Database server
> >>
> >> Server: fone2 (127.0.0.1 via TCP/IP)
> >> Server type: MySQL
> >> Server version: 5.7.12-0ubuntu1 - (Ubuntu)
> >> Protocol version: 10
> >> User: szabolcs at localhost
> >> Server charset: UTF-8 Unicode (utf8)
> >> Web server
> >>
> >> Apache/2.4.18 (Ubuntu)
> >> Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407 - $Id:
> >> f59eb767fe17a6679589b5c076d9fa88d3d4eac0 $
> >> PHP extension: mysqli curl mbstring
> >> PHP version: 7.0.4-7ubuntu2.1
> >>
> >> openssl
> >>
> >> OpenSSL supportenabled
> >> OpenSSL Library VersionOpenSSL 1.0.2g-fips 1 Mar 2016
> >> OpenSSL Header VersionOpenSSL 1.0.2g-fips 1 Mar 2016
> >> Openssl default config/usr/lib/ssl/openssl.cnf
> >>
> >>
> >> If you have to authenticate with certification you use mysqli_ssl_set().
> >> In this case you need private key and certification. But if you want
> >> only a secure communication (like https) you don't need these. Only need
> >> mysqli_client_ssl flag to use ssl.
> >> From mysql log:
> >> 2016-06-03T06:02:02.098148Z11604 Connect szabolcs at xxx.xxx.xxx.xxx
> >> on using SSL/TLS
> >>
> >> Regards,
> >> Szabolcs
> >>
> >> Date: Thu, 2 Jun 2016 09:16:40 -0400
> >> From: Isaac Bennetch <bennetch at gmail.com <mailto:bennetch at gmail.com
> >>
> >> To: Developer discussion for phpMyAdmin <developers at phpmyadmin.net
> >> <mailto:developers at phpmyadmin.net>>
> >> Subject: Re: [phpMyAdmin Developers] Connect with SSL
> >> Message-ID: <dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com
> >> <mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com>>
> >> Content-Type: text/plain; charset=utf-8
> >>
> >> Hi, thanks for your report and detailed research. Please see
> below...
> >>
> >> On 6/2/16 8:24 AM, Kordován Szabolcs wrote:
> >> > Hi,
> >> >
> >> > I had a problem with secure connection to sql server.
> >> > I use mysqli extension, I configured server['ssl'] = true. I have
> >> a user
> >> > 'szabolcs' in sql who needs ssl.
> >> > First I received 'mysqli_real_connect(): (HY000/1045): Access
> >> denied for
> >> > user 'szabolcs'@'localhost' (using password: YES)'.
> >> > That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should add it to
> >> > $client_flags.
> >>
> >> As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when calling
> >> mysql_ssl_set() before mysqli_real_connect(). The current
> documentation
> >> doesn't reference this scenario at all, but previous versions did
> state
> >> that MYSQLI_CLIENT_SSL was not required here (see, for example,
> [1]).
> >>
> >> > After this I got the following error:'mysqli_query(): SSL
> operation
> >> > failed with code 1. OpenSSL Error messages: error:0607A082:digital
> >> > envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
> >> > error:0607A082:digital envelope
> >> > routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
> >> >
> >> > PMA uses openssel functions to encrypt values in cookie if openssl
> >> > functions exist, other case PMA uses Crypt\AES. With Crypt\AES PMA
> >> works
> >> > fine.
> >> > I don't know the exact source of this problem. I think openssl
> >> functions
> >> > have a bug.
> >>
> >> There was some incompatibility between MySQL and OpenSSL (see [2]),
> >> however the error reported was a bit different.
> >>
> >> > Because the mysqli connection with ssl is successful After
> connection
> >> > in common.inc.php $auth_plugin->storeUserCredentials() is called.
> This
> >> > function stores the username and password and other parameters
> into
> >> > cookie. To encrypt:
> >> > openssl_encrypt(
> >> > $data,
> >> > 'AES-128-CBC',
> >> > $secret,
> >> > 0,
> >> > $this->_cookie_iv
> >> > );
> >> > I think the problem is that openssl_encrypt change the cipher to
> >> > AES-128-CBC globally. It means the cipher of mysqli connection is
> also
> >> > modified. This is why mysqli_query failed after encryption.
> >>
> >> Interesting.
> >>
> >> > Here is my solution:
> >> >
> >> > diff -ruN original/libraries/dbi/DBIMysqli.php
> >> > working/libraries/dbi/DBIMysqli.php
> >> > --- original/libraries/dbi/DBIMysqli.php 2016-05-25
> >> > 19:07:44.000000000 +0200
> >> > +++ working/libraries/dbi/DBIMysqli.php 2016-05-26
> >> 15:55:49.000000000 +0200
> >> > @@ -152,6 +152,7 @@
> >> >
> >> > /* Optionally enable SSL */
> >> > if ($cfg['Server']['ssl']) {
> >> > + $client_flags |= MYSQLI_CLIENT_SSL;
> >> > mysqli_ssl_set(
> >> > $link,
> >> > $cfg['Server']['ssl_key'],
> >> > diff -ruN original/libraries/plugins/auth/AuthenticationCookie.php
> >> > working/libraries/plugins/auth/AuthenticationCookie.php
> >> > --- original/libraries/plugins/auth/AuthenticationCookie.php
> >> > 2016-05-25 19:07:44.000000000 +0200
> >> > +++ working/libraries/plugins/auth/AuthenticationCookie.php
> >> > 2016-05-26 15:56:27.000000000 +0200
> >> > @@ -661,6 +661,7 @@
> >> > */
> >> > public static function useOpenSSL()
> >> > {
> >> > + return false;
> >>
> >> This also makes me think about some sort of OpenSSL problem.
> >>
> >> > return (
> >> > function_exists('openssl_encrypt')
> >> > && function_exists('openssl_decrypt')
> >> > diff -ruN original/RELEASE-DATE-4.6.1 working/RELEASE-DATE-4.6.1
> >> > --- original/RELEASE-DATE-4.6.1 1970-01-01 01:00:00.000000000
> +0100
> >> > +++ working/RELEASE-DATE-4.6.1 2016-05-02 17:24:00.000000000
> +0200
> >> > @@ -0,0 +1 @@
> >> > +Mon May 2 21:23:35 UTC 2016
> >> >
> >> > Regards,
> >> > Szabolcs
> >> >
> >> >
> >> > _______________________________________________
> >> > Developers mailing list
> >> > Developers at phpmyadmin.net <mailto:Developers at phpmyadmin.net>
> >> > https://lists.phpmyadmin.net/mailman/listinfo/developers
> >>
> >> >From phpinfo() could you please provide your OpenSSL version? Mine
> is
> >> 1.0.1k.
> >>
> >> >From the main page of phpMyAdmin, could you please provide
> "Database
> >> client version", "PHP extension", and "PHP version" information?
> (Mine
> >> is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )
> >>
> >> Regards,
> >> Isaac
> >>
> >>
> >> 1 -
> >>
> http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQL-using-SSL&s=f12add2a512f61180c75efc107856c04&p=10998575&viewfull=1#post10998575
> >> 2 - https://bugs.mysql.com/bug.php?id=64870
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Developers mailing list
> >> Developers at phpmyadmin.net
> >> https://lists.phpmyadmin.net/mailman/listinfo/developers
> >>
>
> _______________________________________________
> Developers mailing list
> Developers at phpmyadmin.net
> https://lists.phpmyadmin.net/mailman/listinfo/developers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.phpmyadmin.net/pipermail/developers/attachments/20160609/1dc92437/attachment-0001.html>
More information about the Developers
mailing list