We just upgraded to php 5.6 from php 5.4, and everything was working fine with our MySQL connecting using MySQLi and SSL.
Our connection looks like:
mysqli_real_connect($db, $host, $username, $password, $database, $port, $socket, MYSQLI_CLIENT_SSL);
mysqli_set_charset($db, "utf8");
Howerver, now when we try and connect to MySQL over SSL using php 5.6 we are getting:
Warning: mysqli_real_connect(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
/MySQLConnection.php on line 29
Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
in /MySQLConnection.php on line 29
Warning: mysqli_real_connect(): [2002] (trying to connect via
tcp://mysql1.ourdomain.com:3306) in /MySQLConnection.php on line 29
Warning: mysqli_real_connect(): (HY000/2002): in /MySQLConnection.php
on line 29
I tried setting:
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, false);
But that does not help.
UPDATE
I added:
$mysql_certs_path = "/full/path/to/certs/mysql";
mysqli_ssl_set($db, $mysql_certs_path . "/client-key.pem", $mysql_certs_path . "/client-cert.pem", $mysql_certs_path . "/ca-cert.pem", null, null);
And still getting:
Warning: mysqli_real_connect(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
/MySQLConnection.php on line 31
Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL in /MySQLConnection.php on line 31
#jww, I have written a post that shares exactly the problems #Justin is facing here. According to my post, the CN of the certificate issued by Google Cloud SQL has the pattern:
CN=project-name:instance-id
Had something similar to this happen to me. When I upgraded PHP to 5.6, it worked. But when I entered:
sudo apt-get install php5-mysqlnd
On Ubuntu 15.04, the SSL to AWS RDS stopped working, even though it worked with the libmysql driver. Running:
sudo apt-get install php5-mysql
Installed the old drivers and it started working again. Near as I can figure out, it's failing the peer-name validation for connecting to RDS. I do not know how to fix that, and because it uses PHP streams for its connection, the settings don't seem to matter that you pass in.
This is a known bug:
https://bugs.php.net/bug.php?id=68344
So I wrote this method, modified from here: How to know if MySQLnd is the active driver?
public function getMySQLIType()
{
$mysqlType = [
'mysql' => false,
'mysqli' => false,
'mysqlnd' => false,
];
if (function_exists('mysql_connect')) {
$mysqlType['mysql'] = true;
}
if (function_exists('mysqli_connect')) {
$mysqlType['mysqli'] = true;
}
if (function_exists('mysqli_get_client_stats')) {
$mysqlType['mysqlnd'] = true;
}
return $mysqlType;
}
If the array returns true for mysqlnd, I disable SSL. If returns false, then I enable it. Thus far, it works. Yes, this is a hack fix but I do not know how to legitimately fix this issue.
Related
Software:
PHP 7.3
MySQL Workbench 8.0
This is my PHP code:
try {
$link = mysqli_connect($DB_SERVER,$DB_USERNAME, $DB_PASSWORD,$DB_NAME,3306);
} catch (Exception $e){
throw new Exception("Can't execute command. ERROR: ".$e);
}
This is the error:
Warning: mysqli_connect(): PHP was built without openssl extension, can't send password encrypted in login.php on line 11
Warning: mysqli_connect(): (HY000/1045): Access denied for user 'XXXXX_admin'#'localhost' (using password: YES) in C:\inetpub\wwwroot\ on line 11
PHP Warning: mysqli_error() expects parameter 1 to be mysqli, boolean given in C:\inetpub\wwwroot\ on line 24
PHP Fatal error: Uncaught Exception: ERROR: Failed to connect to in C:\inetpub\wwwroot:24 Stack trace: #0 {main} thrown in C:\inetpub\wwwroot\ on line 24
Now the magic, when I login in to mysql workbench with the same user and password everything works fine. I have access to tables and other things. When I login in with my PHP application everything works also.
So my problem is everytime my server reboots I have to login in with MySQL Workbench, to get it working again. What am I missing?
You need to do verify few of the steps:
All necessary extensions are enabled like mysqli, openssl etc
Port is available
MySQLi is connecting at 3306 Port
Rest could be your username and password issue
Let us know once you will be verifying all above steps.
What you need to do is enable the openssl extension for php.
Open your php.ini file and search for the line:
;extension=php_openssl.dll
You need to uncomment it by removing the semicolon in front of it, leaving you with this:
extension=php_openssl.dll
I'm trying to open a TLS connection using this code:
<?php
$cafile = '/var/www/html/mosquitto/cert.pem';
$socketContext = stream_context_create(["ssl" => [
"verify_peer_name" => true,
"cafile" => $cafile
]]);
$socket = stream_socket_client("tls://xx.xx.xx.xx:8883", $errno, $errstr, 60, STREAM_CLIENT_CONNECT, $socketContext);
if (!$socket) {
print("Error: ".$errstr);
return false;
}else{
print("Connection Opened");
}
?>
Nginx error log:
2018/02/08 17:40:28 [error] 1331#1331: *658 FastCGI sent in stderr: "PHP message: PHP Warning: stream_socket_client(): SSL operation $
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): Failed to enable crypto in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): unable to connect to tls://xx.xx.xx.xx:8883 (Unknown error) in /var/www/html/test.$
This is always getting in error section !$socket but without any error string. It's just Error:. How can I fix this issue? I'm speculating cert.pem file may be the issue. What file do I need to put there?
Thanks!
How can I fix this issue?
That's going to be very hard until you know what the issue is.
Clearly tackling the problem using stream_socket_client is not working and is not giving you any useful diagnostic information. You need to breakdown what this call is doing and test each part in isolation.
Does 'xx.xx.xx.xx' represent an IP address or a hostname? If it's the latter you may have issues with resolution. Try dns_get_record() If its the former, how do you expect to validate the subject of the certificate?
Can you connect on port 8883? Try fsockopen()
Is SSL working?
Can you negotiate a cypher
Is the certificate valid
is the certificate signed by a CA in your certs.pem file
You can check these from the command line with openssl s_client
Update
From your edit: certificate verify failed - see note above regarding IP address and certificate vlidation
I was trying to develop a twitter streaming application on my AWS EC2 machine. The OS platform is Ubuntu 16.04.1 LTS and I have downgraded the PHP version to 5.6.28-1+deb.sury.org~xenial+1
When I run the twitter streaming application on this server, I am getting the following errors.
Warning: fsockopen(): Peer certificate CN=`stream.twitter.com' did not match expected CN=`199.16.156.217' in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
Warning: fsockopen(): Failed to enable crypto in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
Warning: fsockopen(): unable to connect to ssl://199.16.156.217:443 (Unknown error) in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
The same code is running without any issues in another two machines (one is AWS EC2 and the another is a godaddy server).
All the ports in the current EC2 machine is open now and the SSL version is OpenSSL/1.0.2g the openssl section is having the following value.
openssl section - phpinfo
Can someone help me to find where the exact issue is ?
The issue is resolved with the clue fro the first error.
Warning: fsockopen(): Peer certificate CN='stream.twitter.com' did not match expected CN='199.16.156.217' in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
In PHP 5.6.x, the value of openssl VERIFY_PEER is true by default. The system will first fetch the certificate from the peer and matches with ours. In my application, I was connecting with the IP and the URL in the fetched certificate is stream.twitter.com. This was the issue.
Changing IP in the fsockopen to stream.twitter.com solved my issue.
PHP versions prior to 5.6, the default value of VERIFY_PEER is false and this is why the same code running on my other instances.
I'm trying to setup PHP mysqli connection to MariaDB database for two VPS servers and need to encrypt the communications due to it being over public network.
Currently I can connect from the client server to database server via commandline mysql client normally and I have checked via tcpdump that the connection is encrypted. However for some reason I can't figure out the PHP part. It's relatively basic nginx + php5-fpm + mariadb setup but mysql is working on non default port.
Debian Jessie, Php5 5.6.7, Mariadb 10.0.16, nginx 1.6.2
Here's the test script:
<?php
$DB_NAME = '';
$DB_HOST = '111.111.111.111';
$DB_USER = 'username';
$DB_PASS = 'password';
$mysqli = mysqli_init();
if (!$mysqli) {
die('mysqli_init failed');
}
//have tried witha and without the following with multiple variations
$mysqli->ssl_set(NULL, NULL, NULL,'/etc/mysql/ssl/',NULL);
if (!$mysqli->real_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME, 11111, NULL,MYSQLI_CLIENT_SSL )) {
die('Connect Error (' . mysqli_connect_errno() . ') '
. mysqli_connect_error());
}
$query = "SHOW STATUS LIKE 'ssl_cipher'";
$result = $mysqli->query($query) or die($mysqli->error.__LINE__);
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
print_r($row);
}
}
else {
echo 'NO RESULTS';
}
mysqli_close($mysqli);
?>
Main error I'm getting without the ssl_set:
2015/07/11 15:58:34 [error] 2857#0: *374 FastCGI sent in stderr: "PHP message: PHP Warning: mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /srv/www/test.php on line 15
PHP message: PHP Warning: mysqli::real_connect(): Cannot connect to MySQL by using SSL in /srv/www/test.php on line 15
PHP message: PHP Warning: mysqli::real_connect(): [2002] (trying to connect via tcp://192.168.130.123:42139) in /srv/www/test.php on line 15
PHP message: PHP Warning: mysqli::real_connect(): (HY000/2002): in /srv/www/test.php on line 15".....
Any ideas would be appreciated. This is really killing me.
Maybe this problem occurs due to the changes made in PHP 5.6. I guess you are using self-signed certificates? If your DB enables peer_name validation by DEFAULT, there is no way to disable this in PHP. So when generating you certificates you have to use the right "Common Name" for each one:
CA: hostname
Server: FQND, e.g. hostname.example.com
Client: somename
The important part is the server certificate where the Common Name has to be the same as the host you are connecting to.
What it looks like is this
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
My guess is that you don't have the correct CA set up. Some DB systems (like Amazon Web Services RDS) have their own CA file. You're using the capath argument so make sure the PEM files are in that path. If they are, the next thing I would do is switch to the third argument of ssl_set and specify the PEM file directly
$mysqli->ssl_set(NULL, NULL, '/path/to/ca.pem', NULL, NULL);
I want to setup SSL for MySQL on Fedora. I am using PDO as MySQL-connector in PHP. But it is not working.
The PHP-version (php -v) is:
PHP 5.6.6 (cli) (built: Feb 19 2015 13:46:39)
When I check php -m I get a long list, including openssl, PDO, pdo_mysql, mysql.
In /etc/my.cnf I added the "ssl" and the three certificates (CA-root, private-key, certificate). I restarted MySQL and Apache.
The pdo-connector is this:
function getDBConn() {
return new PDO(
'mysql:host=localhost; dbname=forum',
user,
pass,
array(
PDO::MYSQL_ATTR_SSL_KEY => path_to_same_as_in_my.cnf.key,
PDO::MYSQL_ATTR_SSL_CERT => path_to_same_as_in_my.cnf.crt,
PDO::MYSQL_ATTR_SSL_CA => path_to_same_as_in_my.cnf.crt
)
}
But on the pages that connect to the database I get the following errors:
Warning: PDO::__construct(): this stream does not support SSL/crypto in /var/www/html/functions.php on line 78
Warning: PDO::__construct(): cannot connect to MySQL by using SSL in /var/www/html/functions.php on line 78
Warning: PDO::__construct(): [2002] (trying to connect via unix:///var/lib/mysql/mysql.sock) in /var/www/html/functions.php on line 78
FATAL ERROR: Uncaught exception 'PDOException' with message 'SQL:STATE[HY000][2002]' in /var/www/html/functions.php:78 Stack trace .....
Anyone who has a solution for this?
All you need is this for PDO MySQL using SSL
<?php
$pdo = new PDO('mysql:host=ip;dbname=db', 'user', 'pass', array(
PDO::MYSQL_ATTR_SSL_KEY =>'/etc/mysql/ssl/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT=>'/etc/mysql/ssl/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA =>'/etc/mysql/ssl/ca-cert.pem'
)
);
$statement = $pdo->query("SHOW TABLES;");
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['_message']);
?>
Another biggest reason you're getting the error is because you might not have openssl installed.