SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections

Bug #55283 SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections
Submitted: 2011-07-26 00:20 UTC Modified: 2017-10-24 06:13 UTC
Votes:12
Avg. Score:4.3 ± 0.8
Reproduced:7 of 8 (87.5%)
Same Version:2 (28.6%)
Same OS:4 (57.1%)
From: aleksey at wepay dot com Assigned:
Status: Open Package: MySQLi related
PHP Version: 5.3.6 OS: Cent OS
Private report: No CVE-ID: None

 [2011-07-26 00:20 UTC] aleksey at wepay dot com

Description:
------------
The MySQLi ignores SSL options set with mysqli_ssl_set() for persistent connections (works fine for non-persistent connections).

To reproduce:
1) Configure MySQL server with SSL support (http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html)
2) Run the attached test script



Test script:
---------------
<?
$host  = 'localhost';
$user  = 'root';
$pass  = '';
$db    = null;
$port  = 3306;
$flags = MYSQLI_CLIENT_SSL;

/* persistent connection */
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
if (mysqli_real_connect($link, 'p:' . $host, $user, $pass, $db, $port, null, $flags)) {
	$r = $link->query("SHOW STATUS LIKE 'Ssl_cipher'");
    var_dump($r->fetch_row());
}

/* non-persistent connection */
$link = mysqli_init();
mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
if (mysqli_real_connect($link, $host, $user, $pass, $db, $port, null, $flags)) {
	$r = $link->query("SHOW STATUS LIKE 'Ssl_cipher'");
    var_dump($r->fetch_row());
}


Expected result:
----------------
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "RC4-MD5"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}


Actual result:
--------------
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "DHE-RSA-AES256-SHA"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2011-07-26 00:25 UTC] aleksey at wepay dot com

Please note that while the example shows the problem with the cipher, all other parameters are also ignored. In particular, ssl cert info is critical.

 [2011-07-26 15:40 UTC] philip@php.net

-Assigned To: +Assigned To: mysql

 [2011-08-05 11:53 UTC] uw@php.net

-Status: Assigned +Status: Verified

 [2011-08-05 11:53 UTC] uw@php.net

Reproducible with PHP 5.3.7RC4-dev (cli) (built: Jul 26 2011 17:35:20) (DEBUG) using *libmysql* to connect to 5.1.45-debug-log 

Configure Command =>  './configure'  '--with-mysql=mysqlnd' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql/bin/mysql_config' '--enable-debug' '--enable-maintainer-zts' '--enable-mysqlnd-ms' '--enable-mysqlenterprise' '--enable-mysqlnd-uh' '--enable-pcntl'

nixnutz@linux-fuxh:~/php/php-src/branches/PHP_5_3> sapi/cli/php bar.php
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(18) "DHE-RSA-AES256-SHA"
}
array(2) {
  [0]=>
  string(10) "Ssl_cipher"
  [1]=>
  string(7) "RC4-MD5"
}

 [2011-08-05 13:17 UTC] uw@php.net

The actual issue here is in mysqlnd (or in the mysqli user API, however you put it :-)): if using mysqli_init() to create a connection object we don't yet know if it needs to be persistent or not. mysqli was changed to meet the needs of mysqlnd. Unfortunately, this has an unforeseen side-effect on mysqli @ libmysql [@ SSL]. Changing mysqli to make libmysql happy will cause leaks with mysqlnd. 

This needs some think time.

 [2011-08-18 01:34 UTC] spam2 at rhsoft dot net

well i guess this change results in connections hanging around and 
after a hughe timeout filling my mailbox with cron-mails since 
upgraded to 5.3.7 using MYSQLND so "Changing mysqli to make libmysql happy will cause leaks with mysqlnd" seems to be true -> but why done this change if knowing it?

mysqlnd 5.0.8-dev - 20102224 - $Revision: 310735 $
without ssl_set() all works fine but unencyrpted 

how can i revert this change for the 5.3.7-final.tar.bz2?
___________

MySQL server has gone away

 $this->ssl_key = '/etc/mysql-ssl/client.pem';
 $this->ssl_crt = '/etc/mysql-ssl/client.pem';
 $this->ssl_ca  = '/etc/mysql-ssl/ca.crt';

$>conn->ssl_set($this->ssl_key, $this->ssl_crt, $this->ssl_ca, NULL, NULL);

 [2011-08-18 07:17 UTC] spam2 at rhsoft dot net

what try you to tell me with "I don't get your comment :("
remember that not everfybody has english as nmative language

i need a way to revert this change to get PHP 5.3.7 
working with mysqlnd/ssl the same way as it did the 
whole last year

 [2011-08-18 07:51 UTC] andrey@php.net

English is neither my mother tongue.

 [2011-08-18 07:55 UTC] pajoye@php.net

You can try in German then as you both speak German as well.

However it looks to me that the code speaks for itself. The connection fails after 
the timeout. This comment is based on this discussion on internals, 
http://news.php.net/php.internals/54667 .

 [2011-09-02 11:22 UTC] uw@php.net

PHP 5.4 beta is scheduled for next week. Is anybody working on fixing the underlying PHP Streams issue not only with 5.3 but also 5.4?

 [2011-09-02 12:19 UTC] johannes@php.net

-Status: Verified +Status: Assigned -Assigned To: mysql +Assigned To: scottmac

 [2011-09-02 12:19 UTC] johannes@php.net

Scott, can you check how we can fix both things - SSL timeout while having mysqlnd SSL working? We're happy to help on the MySQL side ... Thanks!

 [2011-09-02 12:48 UTC] spam2 at rhsoft dot net

would it not be the better solution to think about dropping the libmysql-support and use only mysqlnd - we are runnning some hundret domains and using mysqlnd since the first 5.3 release

you will always have the problem of regressions and the result of auto-tests are depending how php was compiled

 [2015-07-10 11:33 UTC] spam2 at rhsoft dot net

Related To: Bug #70039

 [2015-07-10 13:21 UTC] spam2 at rhsoft dot net

Related To: Bug #70039

 [2017-10-24 06:13 UTC] kalle@php.net

-Status: Assigned +Status: Open -Assigned To: scottmac +Assigned To: