Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 46340 - php + mysql_real_connect using SSL
Summary: php + mysql_real_connect using SSL
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Development (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: PHP Bugs
Depends on:
Reported: 2004-03-31 03:10 UTC by petre rodan (RETIRED)
Modified: 2004-10-02 13:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

my.cnf reader (4.3.4-mysqlclient.diff,1003 bytes, patch)
2004-03-31 03:11 UTC, petre rodan (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description petre rodan (RETIRED) gentoo-dev 2004-03-31 03:10:19 UTC
I was tring to use SSL-enabled mysql connections using php and mod_php.

The problem was that the libmysql library inside {,mod_}php detects that SSL is needed, but it doesn't know the location of the client certificate.

by simply inserting the following line 
before mysql_real_connect(..) in ext/mysql/php_mysql.c, the my.cnf file is read and all SSL-related configurations are imported from there.

If my problem can be solved in another way, please drop me a line :).

Until then, please see the attached diff, maybe it can be used in the ebuild.

Successfuly tested with php-4.3.4-r4, mod_php-4.3.4-r4, php-5.0_beta1-r1.
Comment 1 petre rodan (RETIRED) gentoo-dev 2004-03-31 03:11:21 UTC
Created attachment 28436 [details, diff]
my.cnf reader
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-03-31 10:11:53 UTC
coredumb: what's your take on this? I haven't played with SSL connections to MySQL before.
Comment 3 petre rodan (RETIRED) gentoo-dev 2004-03-31 11:32:48 UTC
I haven't found any help on this subject on the net :(

Well,  basically one should follow the mysql docs in order to create the certificates on both the server and the client, issue a special grant on the server (with REQUIRE misc ssl options), and then modify the my.cnf files on both machines.

the grant must contain 'subject' and 'issuer' fileds exactly as shown by 

`openssl x509 -in client-cert.pem -subject` and
`openssl x509 -in client-cert.pem -issuer`

and not like the example from the mysql docs.

a good grant example is here:

grant all privileges on database.* to 'gogu'@'' identified by 'gigi' require subject '/C=RO/ST=NA/L=Bucharest/O=Tehnosistem SA/CN=generic client/' and issuer '/C=RO/ST=NA/L=Bucharest/O=Tehnosistem SA/OU=Certificate Authority/CN=Tehnosistem CA/';

the my.cnf file on the client (that has php and/or mod_php) should contain:

ssl-ca          = /etc/ssl/mysql/cacert.pem
ssl-cert        = /etc/ssl/mysql/client-cert.pem
ssl-key         = /etc/ssl/mysql/client-key.pem

on the server:

ssl-ca 		= /etc/ssl/mysql/cacert.pem
ssl-cert        = /etc/ssl/mysql/server-cert.pem
ssl-key         = /etc/ssl/mysql/server-key.pem

my patch will read the '[client]' configurations before making the actual connection to the server.
ssl will be used automagically once the connection is made. authentication is successfull.

without the patch, ssl REQUIRE is detected, the server certificate is sent by the remote machine, but the php client doesn't have any information regarding the location of certificate files and authentication will always fail.

my php knowledge is almost 0, but I thought maybe my solution would be of some help to others.

Comment 4 petre rodan (RETIRED) gentoo-dev 2004-10-02 13:37:59 UTC
ssl support in mysql is buggy. 
it miraculously stopped working with no obvious reason 3 days after this bug was posted.

I'd better close this with INVALID before anyone else looses his sanity over this issue =)