[phpMyAdmin Developers] Connect with SSL

Isaac Bennetch bennetch at gmail.com
Thu Jun 9 16:47:38 CEST 2016


Hi Szablcs,

Thanks for your report!

Best wishes,
Isaac

On 6/9/16 8:19 AM, Kordován Szabolcs wrote:
> Hello,
> 
> I tested this dev version and it works fine.
> 
> Thanks.
> 
> Regards,
> Szablcs
> 
> 2016-06-09 5:15 GMT+02:00 Isaac Bennetch <bennetch at gmail.com
> <mailto:bennetch at gmail.com>>:
> 
>     Hello Kordován Szabolcs,
> 
>     As noted in the issue tracker at
>     https://github.com/phpmyadmin/phpmyadmin/issues/12293 Michal has made
>     some improvements here.
> 
>     Would you be able to test these changes and report back if it helps the
>     situation? If you don't use the git version, you can download an updated
>     snapshot from
>     https://github.com/phpmyadmin/phpmyadmin/archive/master.zip
> 
>     Thanks
>     Isaac
> 
>     On 6/4/16 4:45 PM, Isaac Bennetch wrote:
>     > I think it's easier to track this in the issue tracker than on the
>     > mailing list, so we can track progress as a team. I've opened an issue
>     > at https://github.com/phpmyadmin/phpmyadmin/issues/12293
>     >
>     > On 6/3/16 2:50 AM, Kordován Szabolcs wrote:
>     >> Hi,
>     >>
>     >> Sorry for delay.
>     >> I forgot the versions:
>     >> Database server
>     >>
>     >> Server: fone2 (127.0.0.1 via TCP/IP)
>     >> Server type: MySQL
>     >> Server version: 5.7.12-0ubuntu1 - (Ubuntu)
>     >> Protocol version: 10
>     >> User: szabolcs at localhost
>     >> Server charset: UTF-8 Unicode (utf8)
>     >> Web server
>     >>
>     >> Apache/2.4.18 (Ubuntu)
>     >> Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407
>     - $Id:
>     >> f59eb767fe17a6679589b5c076d9fa88d3d4eac0 $
>     >> PHP extension: mysqli curl mbstring
>     >> PHP version: 7.0.4-7ubuntu2.1
>     >>
>     >> openssl
>     >>
>     >> OpenSSL supportenabled
>     >> OpenSSL Library VersionOpenSSL 1.0.2g-fips 1 Mar 2016
>     >> OpenSSL Header VersionOpenSSL 1.0.2g-fips 1 Mar 2016
>     >> Openssl default config/usr/lib/ssl/openssl.cnf
>     >>
>     >>
>     >> If you have to authenticate with certification you use
>     mysqli_ssl_set().
>     >> In this case you need private key and certification. But if you want
>     >> only a secure communication (like https) you don't need these.
>     Only need
>     >> mysqli_client_ssl flag to use ssl.
>     >> From mysql log:
>     >> 2016-06-03T06:02:02.098148Z11604 Connect       
>     szabolcs at xxx.xxx.xxx.xxx
>     >> on  using SSL/TLS
>     >>
>     >> Regards,
>     >> Szabolcs
>     >>
>     >>     Date: Thu, 2 Jun 2016 09:16:40 -0400
>     >>     From: Isaac Bennetch <bennetch at gmail.com
>     <mailto:bennetch at gmail.com> <mailto:bennetch at gmail.com
>     <mailto:bennetch at gmail.com>>>
>     >>     To: Developer discussion for phpMyAdmin
>     <developers at phpmyadmin.net <mailto:developers at phpmyadmin.net>
>     >>     <mailto:developers at phpmyadmin.net
>     <mailto:developers at phpmyadmin.net>>>
>     >>     Subject: Re: [phpMyAdmin Developers] Connect with SSL
>     >>     Message-ID: <dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com
>     <mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com>
>     >>     <mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com
>     <mailto:dc965fae-89cf-26a0-d22a-c3b7fab3f561 at gmail.com>>>
>     >>     Content-Type: text/plain; charset=utf-8
>     >>
>     >>     Hi, thanks for your report and detailed research. Please see
>     below...
>     >>
>     >>     On 6/2/16 8:24 AM, Kordován Szabolcs wrote:
>     >>     > Hi,
>     >>     >
>     >>     > I had a problem with secure connection to sql server.
>     >>     > I use mysqli extension, I configured server['ssl'] = true.
>     I have
>     >>     a user
>     >>     > 'szabolcs' in sql who needs ssl.
>     >>     > First I received 'mysqli_real_connect(): (HY000/1045): Access
>     >>     denied for
>     >>     > user 'szabolcs'@'localhost' (using password: YES)'.
>     >>     > That was why PMA doesn't use MYSQLI_CLIENT_SSL. I should
>     add it to
>     >>     > $client_flags.
>     >>
>     >>     As far as I'm aware, PHP doesn't need MYSQLI_CLIENT_SSL when
>     calling
>     >>     mysql_ssl_set() before mysqli_real_connect(). The current
>     documentation
>     >>     doesn't reference this scenario at all, but previous versions
>     did state
>     >>     that MYSQLI_CLIENT_SSL was not required here (see, for
>     example, [1]).
>     >>
>     >>     > After this I got the following error:'mysqli_query(): SSL
>     operation
>     >>     > failed with code 1. OpenSSL Error messages:
>     error:0607A082:digital
>     >>     > envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key
>     length
>     >>     > error:0607A082:digital envelope
>     >>     > routines:EVP_CIPHER_CTX_set_key_length:invalid key length'.
>     >>     >
>     >>     > PMA uses openssel functions to encrypt values in cookie if
>     openssl
>     >>     > functions exist, other case PMA uses Crypt\AES. With
>     Crypt\AES PMA
>     >>     works
>     >>     > fine.
>     >>     > I don't know the exact source of this problem. I think openssl
>     >>     functions
>     >>     > have a bug.
>     >>
>     >>     There was some incompatibility between MySQL and OpenSSL (see
>     [2]),
>     >>     however the error reported was a bit different.
>     >>
>     >>     > Because the mysqli connection with ssl is successful  After
>     connection
>     >>     > in common.inc.php $auth_plugin->storeUserCredentials() is
>     called. This
>     >>     > function stores the username and password and other
>     parameters into
>     >>     > cookie. To encrypt:
>     >>     > openssl_encrypt(
>     >>     >                 $data,
>     >>     >                 'AES-128-CBC',
>     >>     >                 $secret,
>     >>     >                 0,
>     >>     >                 $this->_cookie_iv
>     >>     >             );
>     >>     > I think the problem is that openssl_encrypt change the
>     cipher to
>     >>     > AES-128-CBC globally. It means the cipher of mysqli
>     connection is also
>     >>     > modified. This is why mysqli_query failed after encryption.
>     >>
>     >>     Interesting.
>     >>
>     >>     > Here is my solution:
>     >>     >
>     >>     > diff -ruN original/libraries/dbi/DBIMysqli.php
>     >>     > working/libraries/dbi/DBIMysqli.php
>     >>     > --- original/libraries/dbi/DBIMysqli.php        2016-05-25
>     >>     > 19:07:44.000000000 +0200
>     >>     > +++ working/libraries/dbi/DBIMysqli.php 2016-05-26
>     >>     15:55:49.000000000 +0200
>     >>     > @@ -152,6 +152,7 @@
>     >>     >
>     >>     >          /* Optionally enable SSL */
>     >>     >          if ($cfg['Server']['ssl']) {
>     >>     > +           $client_flags |= MYSQLI_CLIENT_SSL;
>     >>     >              mysqli_ssl_set(
>     >>     >                  $link,
>     >>     >                  $cfg['Server']['ssl_key'],
>     >>     > diff -ruN
>     original/libraries/plugins/auth/AuthenticationCookie.php
>     >>     > working/libraries/plugins/auth/AuthenticationCookie.php
>     >>     > --- original/libraries/plugins/auth/AuthenticationCookie.php
>     >>     >  2016-05-25 19:07:44.000000000 +0200
>     >>     > +++ working/libraries/plugins/auth/AuthenticationCookie.php
>     >>     > 2016-05-26 15:56:27.000000000 +0200
>     >>     > @@ -661,6 +661,7 @@
>     >>     >       */
>     >>     >      public static function useOpenSSL()
>     >>     >      {
>     >>     > +       return false;
>     >>
>     >>     This also makes me think about some sort of OpenSSL problem.
>     >>
>     >>     >          return (
>     >>     >              function_exists('openssl_encrypt')
>     >>     >              && function_exists('openssl_decrypt')
>     >>     > diff -ruN original/RELEASE-DATE-4.6.1
>     working/RELEASE-DATE-4.6.1
>     >>     > --- original/RELEASE-DATE-4.6.1 1970-01-01
>     01:00:00.000000000 +0100
>     >>     > +++ working/RELEASE-DATE-4.6.1  2016-05-02
>     17:24:00.000000000 +0200
>     >>     > @@ -0,0 +1 @@
>     >>     > +Mon May  2 21:23:35 UTC 2016
>     >>     >
>     >>     > Regards,
>     >>     > Szabolcs
>     >>     >
>     >>     >
>     >>     > _______________________________________________
>     >>     > Developers mailing list
>     >>     > Developers at phpmyadmin.net
>     <mailto:Developers at phpmyadmin.net> <mailto:Developers at phpmyadmin.net
>     <mailto:Developers at phpmyadmin.net>>
>     >>     > https://lists.phpmyadmin.net/mailman/listinfo/developers
>     >>
>     >>     >From phpinfo() could you please provide your OpenSSL
>     version? Mine is
>     >>     1.0.1k.
>     >>
>     >>     >From the main page of phpMyAdmin, could you please provide
>     "Database
>     >>     client version", "PHP extension", and "PHP version"
>     information? (Mine
>     >>     is libmysql - 5.5.49 / mysqli curl mbstring / 5.6.20-0+deb8u1 )
>     >>
>     >>     Regards,
>     >>     Isaac
>     >>
>     >>
>     >>     1 -
>     >>   
>      http://board.phpbuilder.com/showthread.php?10383611-Connecting-PHP-and-MYSQL-using-SSL&s=f12add2a512f61180c75efc107856c04&p=10998575&viewfull=1#post10998575
>     >>     2 - https://bugs.mysql.com/bug.php?id=64870
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Developers mailing list
>     >> Developers at phpmyadmin.net <mailto:Developers at phpmyadmin.net>
>     >> https://lists.phpmyadmin.net/mailman/listinfo/developers
>     >>
> 
>     _______________________________________________
>     Developers mailing list
>     Developers at phpmyadmin.net <mailto:Developers at phpmyadmin.net>
>     https://lists.phpmyadmin.net/mailman/listinfo/developers
> 
> 
> 
> 
> _______________________________________________
> Developers mailing list
> Developers at phpmyadmin.net
> https://lists.phpmyadmin.net/mailman/listinfo/developers
> 



More information about the Developers mailing list