Package: php5-mysqlnd; Maintainer for php5-mysqlnd is (unknown);
Reported by: Adam McKenna <flound1129@gmail.com>
Date: Wed, 2 Sep 2015 16:45:02 UTC
Severity: normal
Tags: patch, upstream
Found in version php5/5.6.12+dfsg-0+deb8u1
Fixed in version 5.6.26+dfsg-1+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#797799; Package php5-mysqlnd.
(Wed, 02 Sep 2015 16:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam McKenna <flound1129@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 02 Sep 2015 16:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5-mysqlnd
Version: 5.6.12+dfsg-0+deb8u1
Severity: important
Tags: security upstream patch
https://bugs.php.net/bug.php?id=68344
Description:
------------
When the MySQLi extension is compiled against mysqlnd there is no method to disable peer_name validation. Since MySQL 5.6 now enables peer_name validation by DEFAULT those of us connecting to servers with self-signed certs via SSL are no longer able too.
I have tried to signal the default ssl stream context to disable peer_name validation but mysqli extension will NOT honor it.
If the remote-server's name does not match the name you are connecting to (as in, for example, a mysql cluster and connecting to a single node directly) you will not be able to connect at all in any way shape or form with mysqli. -- The old mysql extension is not effected by this change as it honors the my.cnf mysql client's validation settings.
Test script:
---------------
<?php
stream_context_set_default(array(
'ssl' => array(
'peer_name' => 'generic-server',
'verify_peer' => FALSE,
'verify_peer_name' => FALSE,
'allow_self_signed' => TRUE,
),
));
$mysqli = mysqli_init();
mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
$conn = mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
var_dump($conn);
?>
Expected result:
----------------
I expect to be able to disable peer_name validation for those situations were the certificate name cant possibly be verified (ie: self-signed certs) and be able to connect to the mysql server.
Actual result:
--------------
MySQLi will NOT connect to mysql server and throws 4 warnings:
Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did not match expected CN=`dbserver.local'
Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
Warning: mysqli_real_connect(): [2002] (trying to connect via tcp://dbserver.local:3306)
Warning: mysqli_real_connect(): (HY000/2002):
Patch:
; obey few default context options
; https://bugs.php.net/bug.php?id=68344
diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c php-5.6.12/ext/mysqlnd/mysqlnd_net.c
--- php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-06 09:55:57.000000000 +0200
+++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-10 13:25:30.187912101 +0200
@@ -29,6 +29,7 @@
#include "mysqlnd_ext_plugin.h"
#include "php_network.h"
#include "zend_ini.h"
+#include "ext/standard/file.h"
#ifdef MYSQLND_COMPRESSION_ENABLED
#include <zlib.h>
#endif
@@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
DBG_RETURN(FAIL);
}
+ if (FG(default_context)) {
+ zval **tmpzval = NULL;
+ int i = 0;
+ /* copy values from default stream settings */
+ char *opts[] = { "allow_self_signed", "cafile", "capath", "ciphers", "CN_match",
+ "disable_compression", "local_cert", "local_pk", "no_ticket", "passphrase",
+ "peer_fingerprint", "peer_name", "SNI_enabled", "SNI_server_certs", "SNI_server_name",
+ "verify_depth", "verify_peer", "verify_peer_name", NULL };
+ while (opts[i]) {
+ if (php_stream_context_get_option(FG(default_context), "ssl", opts[i], &tmpzval) == SUCCESS)
+ php_stream_context_set_option(context, "ssl", opts[i], *tmpzval);
+ i++;
+ }
+ }
+
if (net->data->options.ssl_key) {
zval key_zval;
ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
-- Package-specific info:
==== Additional PHP 5 information ====
++++ PHP 5 SAPI (php5query -S): ++++
fpm
cli
++++ PHP 5 Extensions (php5query -M -v): ++++
pdo (Enabled for fpm by maintainer script)
pdo (Enabled for cli by maintainer script)
readline (Enabled for fpm by maintainer script)
readline (Enabled for cli by maintainer script)
pdo_mysql (Enabled for fpm by maintainer script)
pdo_mysql (Enabled for cli by maintainer script)
json (Enabled for fpm by maintainer script)
json (Enabled for cli by maintainer script)
memcached (Enabled for fpm by local administrator)
memcached (Enabled for cli by local administrator)
mysqli (Enabled for fpm by maintainer script)
mysqli (Enabled for cli by maintainer script)
opcache (Enabled for fpm by maintainer script)
opcache (Enabled for cli by maintainer script)
mysql (Enabled for fpm by maintainer script)
mysql (Enabled for cli by maintainer script)
curl (Enabled for fpm by maintainer script)
curl (Enabled for cli by maintainer script)
mysqlnd (Enabled for fpm by maintainer script)
mysqlnd (Enabled for cli by maintainer script)
redis (Enabled for fpm by maintainer script)
redis (Enabled for cli by maintainer script)
++++ Configuration files: ++++
**** /etc/php5/mods-available/mysqlnd.ini ****
extension=mysqlnd.so
**** /etc/php5/mods-available/mysql.ini ****
extension=mysql.so
**** /etc/php5/mods-available/mysqli.ini ****
extension=mysqli.so
**** /etc/php5/mods-available/pdo_mysql.ini ****
extension=pdo_mysql.so
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages php5-mysqlnd depends on:
ii libc6 2.19-18
ii php5-common [phpapi-20131226] 5.6.12+dfsg-0+deb8u1
ii ucf 3.0030
php5-mysqlnd recommends no packages.
php5-mysqlnd suggests no packages.
Versions of packages php5-common depends on:
ii libc6 2.19-18
ii lsof 4.86+dfsg-1
ii psmisc 22.21-2
ii sed 4.2.2-4+b1
ii ucf 3.0030
Versions of packages php5-common suggests:
pn php5-user-cache <none>
Versions of packages php5-cli depends on:
ii libbz2-1.0 1.0.6-7+b3
ii libc6 2.19-18
ii libcomerr2 1.42.12-1.1
ii libdb5.3 5.3.28-9
ii libedit2 3.1-20140620-2
ii libgssapi-krb5-2 1.12.1+dfsg-19
ii libk5crypto3 1.12.1+dfsg-19
ii libkrb5-3 1.12.1+dfsg-19
ii libmagic1 1:5.22+15-2
ii libonig2 5.9.5-3.2
ii libpcre3 2:8.35-3.3
ii libqdbm14 1.8.78-5+b1
ii libssl1.0.0 1.0.1k-3+deb8u1
ii libxml2 2.9.1+dfsg1-5
ii mime-support 3.58
ii php5-common 5.6.12+dfsg-0+deb8u1
ii php5-json 1.3.6-1
ii tzdata 2015f-0+deb8u1
ii ucf 3.0030
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages php5-cli recommends:
ii php5-readline 5.6.12+dfsg-0+deb8u1
Versions of packages php5-cli suggests:
pn php-pear <none>
Versions of packages php5-fpm depends on:
ii init-system-helpers 1.22
ii libapparmor1 2.9.0-3
ii libbz2-1.0 1.0.6-7+b3
ii libc6 2.19-18
ii libcomerr2 1.42.12-1.1
ii libdb5.3 5.3.28-9
ii libgssapi-krb5-2 1.12.1+dfsg-19
ii libk5crypto3 1.12.1+dfsg-19
ii libkrb5-3 1.12.1+dfsg-19
ii libmagic1 1:5.22+15-2
ii libonig2 5.9.5-3.2
ii libpcre3 2:8.35-3.3
ii libqdbm14 1.8.78-5+b1
ii libssl1.0.0 1.0.1k-3+deb8u1
ii libsystemd0 215-17+deb8u1
ii libxml2 2.9.1+dfsg1-5
ii mime-support 3.58
ii php5-cli 5.6.12+dfsg-0+deb8u1
ii php5-common 5.6.12+dfsg-0+deb8u1
ii php5-json 1.3.6-1
ii tzdata 2015f-0+deb8u1
ii ucf 3.0030
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages php5-fpm suggests:
pn php-pear <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#797799; Package php5-mysqlnd.
(Wed, 02 Sep 2015 18:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 02 Sep 2015 18:54:03 GMT) (full text, mbox, link).
Message #10 received at 797799@bugs.debian.org (full text, mbox, reply):
Control: tags -1 -security
Control: severity -1 normal
Hi Adam,
is there a problem to generate a self-signed certificate that matches
the name of the server? If that's the only problem it could be easily
solved by that. Also there exists a viable workaround, just install
php5-mysql instead of php5-mysqlnd, thus I am lowering the severity of
the bug.
Also I am removing security tag because in fact this is not a security
bug since it doesn't lower the security of TLS (quite the opposite).
Cheers,
Ondrej
On Wed, Sep 2, 2015, at 18:19, Adam McKenna wrote:
> Package: php5-mysqlnd
> Version: 5.6.12+dfsg-0+deb8u1
> Severity: important
> Tags: security upstream patch
>
> https://bugs.php.net/bug.php?id=68344
>
> Description:
> ------------
> When the MySQLi extension is compiled against mysqlnd there is no method
> to disable peer_name validation. Since MySQL 5.6 now enables peer_name
> validation by DEFAULT those of us connecting to servers with self-signed
> certs via SSL are no longer able too.
>
> I have tried to signal the default ssl stream context to disable
> peer_name validation but mysqli extension will NOT honor it.
>
> If the remote-server's name does not match the name you are connecting to
> (as in, for example, a mysql cluster and connecting to a single node
> directly) you will not be able to connect at all in any way shape or form
> with mysqli. -- The old mysql extension is not effected by this change
> as it honors the my.cnf mysql client's validation settings.
>
> Test script:
> ---------------
> <?php
>
> stream_context_set_default(array(
> 'ssl' => array(
> 'peer_name' => 'generic-server',
> 'verify_peer' => FALSE,
> 'verify_peer_name' => FALSE,
> 'allow_self_signed' => TRUE,
> ),
> ));
>
> $mysqli = mysqli_init();
> mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
> $conn =
> mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
> var_dump($conn);
>
> ?>
>
>
> Expected result:
> ----------------
> I expect to be able to disable peer_name validation for those situations
> were the certificate name cant possibly be verified (ie: self-signed
> certs) and be able to connect to the mysql server.
>
> Actual result:
> --------------
> MySQLi will NOT connect to mysql server and throws 4 warnings:
>
> Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did
> not match expected CN=`dbserver.local'
> Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
> Warning: mysqli_real_connect(): [2002] (trying to connect via
> tcp://dbserver.local:3306)
> Warning: mysqli_real_connect(): (HY000/2002):
>
> Patch:
>
> ; obey few default context options
> ; https://bugs.php.net/bug.php?id=68344
> diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-06
> 09:55:57.000000000 +0200
> +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-10
> 13:25:30.187912101 +0200
> @@ -29,6 +29,7 @@
> #include "mysqlnd_ext_plugin.h"
> #include "php_network.h"
> #include "zend_ini.h"
> +#include "ext/standard/file.h"
> #ifdef MYSQLND_COMPRESSION_ENABLED
> #include <zlib.h>
> #endif
> @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
> DBG_RETURN(FAIL);
> }
>
> + if (FG(default_context)) {
> + zval **tmpzval = NULL;
> + int i = 0;
> + /* copy values from default stream settings */
> + char *opts[] = { "allow_self_signed", "cafile", "capath",
> "ciphers", "CN_match",
> + "disable_compression", "local_cert", "local_pk",
> "no_ticket", "passphrase",
> + "peer_fingerprint", "peer_name", "SNI_enabled",
> "SNI_server_certs", "SNI_server_name",
> + "verify_depth", "verify_peer",
> "verify_peer_name", NULL };
> + while (opts[i]) {
> + if
> (php_stream_context_get_option(FG(default_context), "ssl", opts[i],
> &tmpzval) == SUCCESS)
> + php_stream_context_set_option(context,
> "ssl", opts[i], *tmpzval);
> + i++;
> + }
> + }
> +
> if (net->data->options.ssl_key) {
> zval key_zval;
> ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
>
> -- Package-specific info:
> ==== Additional PHP 5 information ====
>
> ++++ PHP 5 SAPI (php5query -S): ++++
> fpm
> cli
>
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> pdo (Enabled for fpm by maintainer script)
> pdo (Enabled for cli by maintainer script)
> readline (Enabled for fpm by maintainer script)
> readline (Enabled for cli by maintainer script)
> pdo_mysql (Enabled for fpm by maintainer script)
> pdo_mysql (Enabled for cli by maintainer script)
> json (Enabled for fpm by maintainer script)
> json (Enabled for cli by maintainer script)
> memcached (Enabled for fpm by local administrator)
> memcached (Enabled for cli by local administrator)
> mysqli (Enabled for fpm by maintainer script)
> mysqli (Enabled for cli by maintainer script)
> opcache (Enabled for fpm by maintainer script)
> opcache (Enabled for cli by maintainer script)
> mysql (Enabled for fpm by maintainer script)
> mysql (Enabled for cli by maintainer script)
> curl (Enabled for fpm by maintainer script)
> curl (Enabled for cli by maintainer script)
> mysqlnd (Enabled for fpm by maintainer script)
> mysqlnd (Enabled for cli by maintainer script)
> redis (Enabled for fpm by maintainer script)
> redis (Enabled for cli by maintainer script)
>
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/mysqlnd.ini ****
> extension=mysqlnd.so
>
> **** /etc/php5/mods-available/mysql.ini ****
> extension=mysql.so
>
> **** /etc/php5/mods-available/mysqli.ini ****
> extension=mysqli.so
>
> **** /etc/php5/mods-available/pdo_mysql.ini ****
> extension=pdo_mysql.so
>
>
> -- System Information:
> Debian Release: 8.1
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages php5-mysqlnd depends on:
> ii libc6 2.19-18
> ii php5-common [phpapi-20131226] 5.6.12+dfsg-0+deb8u1
> ii ucf 3.0030
>
> php5-mysqlnd recommends no packages.
>
> php5-mysqlnd suggests no packages.
>
> Versions of packages php5-common depends on:
> ii libc6 2.19-18
> ii lsof 4.86+dfsg-1
> ii psmisc 22.21-2
> ii sed 4.2.2-4+b1
> ii ucf 3.0030
>
> Versions of packages php5-common suggests:
> pn php5-user-cache <none>
>
> Versions of packages php5-cli depends on:
> ii libbz2-1.0 1.0.6-7+b3
> ii libc6 2.19-18
> ii libcomerr2 1.42.12-1.1
> ii libdb5.3 5.3.28-9
> ii libedit2 3.1-20140620-2
> ii libgssapi-krb5-2 1.12.1+dfsg-19
> ii libk5crypto3 1.12.1+dfsg-19
> ii libkrb5-3 1.12.1+dfsg-19
> ii libmagic1 1:5.22+15-2
> ii libonig2 5.9.5-3.2
> ii libpcre3 2:8.35-3.3
> ii libqdbm14 1.8.78-5+b1
> ii libssl1.0.0 1.0.1k-3+deb8u1
> ii libxml2 2.9.1+dfsg1-5
> ii mime-support 3.58
> ii php5-common 5.6.12+dfsg-0+deb8u1
> ii php5-json 1.3.6-1
> ii tzdata 2015f-0+deb8u1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-2+b1
>
> Versions of packages php5-cli recommends:
> ii php5-readline 5.6.12+dfsg-0+deb8u1
>
> Versions of packages php5-cli suggests:
> pn php-pear <none>
>
> Versions of packages php5-fpm depends on:
> ii init-system-helpers 1.22
> ii libapparmor1 2.9.0-3
> ii libbz2-1.0 1.0.6-7+b3
> ii libc6 2.19-18
> ii libcomerr2 1.42.12-1.1
> ii libdb5.3 5.3.28-9
> ii libgssapi-krb5-2 1.12.1+dfsg-19
> ii libk5crypto3 1.12.1+dfsg-19
> ii libkrb5-3 1.12.1+dfsg-19
> ii libmagic1 1:5.22+15-2
> ii libonig2 5.9.5-3.2
> ii libpcre3 2:8.35-3.3
> ii libqdbm14 1.8.78-5+b1
> ii libssl1.0.0 1.0.1k-3+deb8u1
> ii libsystemd0 215-17+deb8u1
> ii libxml2 2.9.1+dfsg1-5
> ii mime-support 3.58
> ii php5-cli 5.6.12+dfsg-0+deb8u1
> ii php5-common 5.6.12+dfsg-0+deb8u1
> ii php5-json 1.3.6-1
> ii tzdata 2015f-0+deb8u1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-2+b1
>
> Versions of packages php5-fpm suggests:
> pn php-pear <none>
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Removed tag(s) security.
Request was from Ondřej Surý <ondrej@sury.org>
to 797799-submit@bugs.debian.org.
(Wed, 02 Sep 2015 18:54:03 GMT) (full text, mbox, link).
Severity set to 'normal' from 'important'
Request was from Ondřej Surý <ondrej@sury.org>
to 797799-submit@bugs.debian.org.
(Wed, 02 Sep 2015 18:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#797799; Package php5-mysqlnd.
(Wed, 02 Sep 2015 20:51:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam M <flound1129@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 02 Sep 2015 20:51:14 GMT) (full text, mbox, link).
Message #19 received at 797799@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Unfortunately it's not quite that simple. I recommend reading all of the
comments on the bug page. This is a major issue and it's been going on for
over a year.
A single hostname will never work for a MySQL cluster where the clients
need to connect to different nodes with different names.
Even if you aren't using a cluster, making the hostname match doesn't
appear to work, possibly due to changes in either PHP or OpenSSL since the
bug was filed. I dicked around for several hours generating new
certificates, making sure they all matched up to hostnames (both client and
server) and even adding my CA Cert to the keystore. Nothing worked. I
eventually recompiled PHP with the patch.
It *is* a security bug, because it forces people who do not have either the
patience or the knowledge to recompile the package with the patch to turn
off SSL between their web and DB server. The other option is to downgrade
PHP to an earlier version which also has security implications.
On Wed, Sep 2, 2015 at 11:51 AM, Ondřej Surý <ondrej@sury.org> wrote:
> Control: tags -1 -security
> Control: severity -1 normal
>
> Hi Adam,
>
> is there a problem to generate a self-signed certificate that matches
> the name of the server? If that's the only problem it could be easily
> solved by that. Also there exists a viable workaround, just install
> php5-mysql instead of php5-mysqlnd, thus I am lowering the severity of
> the bug.
>
> Also I am removing security tag because in fact this is not a security
> bug since it doesn't lower the security of TLS (quite the opposite).
>
> Cheers,
> Ondrej
>
> On Wed, Sep 2, 2015, at 18:19, Adam McKenna wrote:
> > Package: php5-mysqlnd
> > Version: 5.6.12+dfsg-0+deb8u1
> > Severity: important
> > Tags: security upstream patch
> >
> > https://bugs.php.net/bug.php?id=68344
> >
> > Description:
> > ------------
> > When the MySQLi extension is compiled against mysqlnd there is no method
> > to disable peer_name validation. Since MySQL 5.6 now enables peer_name
> > validation by DEFAULT those of us connecting to servers with self-signed
> > certs via SSL are no longer able too.
> >
> > I have tried to signal the default ssl stream context to disable
> > peer_name validation but mysqli extension will NOT honor it.
> >
> > If the remote-server's name does not match the name you are connecting to
> > (as in, for example, a mysql cluster and connecting to a single node
> > directly) you will not be able to connect at all in any way shape or form
> > with mysqli. -- The old mysql extension is not effected by this change
> > as it honors the my.cnf mysql client's validation settings.
> >
> > Test script:
> > ---------------
> > <?php
> >
> > stream_context_set_default(array(
> > 'ssl' => array(
> > 'peer_name' => 'generic-server',
> > 'verify_peer' => FALSE,
> > 'verify_peer_name' => FALSE,
> > 'allow_self_signed' => TRUE,
> > ),
> > ));
> >
> > $mysqli = mysqli_init();
> >
> mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
> > $conn =
> >
> mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
> > var_dump($conn);
> >
> > ?>
> >
> >
> > Expected result:
> > ----------------
> > I expect to be able to disable peer_name validation for those situations
> > were the certificate name cant possibly be verified (ie: self-signed
> > certs) and be able to connect to the mysql server.
> >
> > Actual result:
> > --------------
> > MySQLi will NOT connect to mysql server and throws 4 warnings:
> >
> > Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did
> > not match expected CN=`dbserver.local'
> > Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
> > Warning: mysqli_real_connect(): [2002] (trying to connect via
> > tcp://dbserver.local:3306)
> > Warning: mysqli_real_connect(): (HY000/2002):
> >
> > Patch:
> >
> > ; obey few default context options
> > ; https://bugs.php.net/bug.php?id=68344
> > diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> > php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> > --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-06
> > 09:55:57.000000000 +0200
> > +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-10
> > 13:25:30.187912101 +0200
> > @@ -29,6 +29,7 @@
> > #include "mysqlnd_ext_plugin.h"
> > #include "php_network.h"
> > #include "zend_ini.h"
> > +#include "ext/standard/file.h"
> > #ifdef MYSQLND_COMPRESSION_ENABLED
> > #include <zlib.h>
> > #endif
> > @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
> > DBG_RETURN(FAIL);
> > }
> >
> > + if (FG(default_context)) {
> > + zval **tmpzval = NULL;
> > + int i = 0;
> > + /* copy values from default stream settings */
> > + char *opts[] = { "allow_self_signed", "cafile", "capath",
> > "ciphers", "CN_match",
> > + "disable_compression", "local_cert", "local_pk",
> > "no_ticket", "passphrase",
> > + "peer_fingerprint", "peer_name", "SNI_enabled",
> > "SNI_server_certs", "SNI_server_name",
> > + "verify_depth", "verify_peer",
> > "verify_peer_name", NULL };
> > + while (opts[i]) {
> > + if
> > (php_stream_context_get_option(FG(default_context), "ssl", opts[i],
> > &tmpzval) == SUCCESS)
> > + php_stream_context_set_option(context,
> > "ssl", opts[i], *tmpzval);
> > + i++;
> > + }
> > + }
> > +
> > if (net->data->options.ssl_key) {
> > zval key_zval;
> > ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
> >
> > -- Package-specific info:
> > ==== Additional PHP 5 information ====
> >
> > ++++ PHP 5 SAPI (php5query -S): ++++
> > fpm
> > cli
> >
> > ++++ PHP 5 Extensions (php5query -M -v): ++++
> > pdo (Enabled for fpm by maintainer script)
> > pdo (Enabled for cli by maintainer script)
> > readline (Enabled for fpm by maintainer script)
> > readline (Enabled for cli by maintainer script)
> > pdo_mysql (Enabled for fpm by maintainer script)
> > pdo_mysql (Enabled for cli by maintainer script)
> > json (Enabled for fpm by maintainer script)
> > json (Enabled for cli by maintainer script)
> > memcached (Enabled for fpm by local administrator)
> > memcached (Enabled for cli by local administrator)
> > mysqli (Enabled for fpm by maintainer script)
> > mysqli (Enabled for cli by maintainer script)
> > opcache (Enabled for fpm by maintainer script)
> > opcache (Enabled for cli by maintainer script)
> > mysql (Enabled for fpm by maintainer script)
> > mysql (Enabled for cli by maintainer script)
> > curl (Enabled for fpm by maintainer script)
> > curl (Enabled for cli by maintainer script)
> > mysqlnd (Enabled for fpm by maintainer script)
> > mysqlnd (Enabled for cli by maintainer script)
> > redis (Enabled for fpm by maintainer script)
> > redis (Enabled for cli by maintainer script)
> >
> > ++++ Configuration files: ++++
> > **** /etc/php5/mods-available/mysqlnd.ini ****
> > extension=mysqlnd.so
> >
> > **** /etc/php5/mods-available/mysql.ini ****
> > extension=mysql.so
> >
> > **** /etc/php5/mods-available/mysqli.ini ****
> > extension=mysqli.so
> >
> > **** /etc/php5/mods-available/pdo_mysql.ini ****
> > extension=pdo_mysql.so
> >
> >
> > -- System Information:
> > Debian Release: 8.1
> > APT prefers stable-updates
> > APT policy: (500, 'stable-updates'), (500, 'stable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > Init: systemd (via /run/systemd/system)
> >
> > Versions of packages php5-mysqlnd depends on:
> > ii libc6 2.19-18
> > ii php5-common [phpapi-20131226] 5.6.12+dfsg-0+deb8u1
> > ii ucf 3.0030
> >
> > php5-mysqlnd recommends no packages.
> >
> > php5-mysqlnd suggests no packages.
> >
> > Versions of packages php5-common depends on:
> > ii libc6 2.19-18
> > ii lsof 4.86+dfsg-1
> > ii psmisc 22.21-2
> > ii sed 4.2.2-4+b1
> > ii ucf 3.0030
> >
> > Versions of packages php5-common suggests:
> > pn php5-user-cache <none>
> >
> > Versions of packages php5-cli depends on:
> > ii libbz2-1.0 1.0.6-7+b3
> > ii libc6 2.19-18
> > ii libcomerr2 1.42.12-1.1
> > ii libdb5.3 5.3.28-9
> > ii libedit2 3.1-20140620-2
> > ii libgssapi-krb5-2 1.12.1+dfsg-19
> > ii libk5crypto3 1.12.1+dfsg-19
> > ii libkrb5-3 1.12.1+dfsg-19
> > ii libmagic1 1:5.22+15-2
> > ii libonig2 5.9.5-3.2
> > ii libpcre3 2:8.35-3.3
> > ii libqdbm14 1.8.78-5+b1
> > ii libssl1.0.0 1.0.1k-3+deb8u1
> > ii libxml2 2.9.1+dfsg1-5
> > ii mime-support 3.58
> > ii php5-common 5.6.12+dfsg-0+deb8u1
> > ii php5-json 1.3.6-1
> > ii tzdata 2015f-0+deb8u1
> > ii ucf 3.0030
> > ii zlib1g 1:1.2.8.dfsg-2+b1
> >
> > Versions of packages php5-cli recommends:
> > ii php5-readline 5.6.12+dfsg-0+deb8u1
> >
> > Versions of packages php5-cli suggests:
> > pn php-pear <none>
> >
> > Versions of packages php5-fpm depends on:
> > ii init-system-helpers 1.22
> > ii libapparmor1 2.9.0-3
> > ii libbz2-1.0 1.0.6-7+b3
> > ii libc6 2.19-18
> > ii libcomerr2 1.42.12-1.1
> > ii libdb5.3 5.3.28-9
> > ii libgssapi-krb5-2 1.12.1+dfsg-19
> > ii libk5crypto3 1.12.1+dfsg-19
> > ii libkrb5-3 1.12.1+dfsg-19
> > ii libmagic1 1:5.22+15-2
> > ii libonig2 5.9.5-3.2
> > ii libpcre3 2:8.35-3.3
> > ii libqdbm14 1.8.78-5+b1
> > ii libssl1.0.0 1.0.1k-3+deb8u1
> > ii libsystemd0 215-17+deb8u1
> > ii libxml2 2.9.1+dfsg1-5
> > ii mime-support 3.58
> > ii php5-cli 5.6.12+dfsg-0+deb8u1
> > ii php5-common 5.6.12+dfsg-0+deb8u1
> > ii php5-json 1.3.6-1
> > ii tzdata 2015f-0+deb8u1
> > ii ucf 3.0030
> > ii zlib1g 1:1.2.8.dfsg-2+b1
> >
> > Versions of packages php5-fpm suggests:
> > pn php-pear <none>
> >
> > -- no debconf information
> >
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint@lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>
>
> --
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>
--
BTC: 1D8AM4aXWEbCX3RcemZjZBxB6X1uqhthqY LTC:
LVtDsd9cWFU5ueQsJ5nNFgBRTghPUV4isg
*https://www.multipool.us <https://www.multipool.us> - Always mine the most
profitable coin - Now with SHA-256 ASIC Multiport!*
[Message part 2 (text/html, inline)]
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Fri, 13 Jan 2017 13:07:20 GMT) (full text, mbox, link).
Notification sent
to Adam McKenna <flound1129@gmail.com>:
Bug acknowledged by developer.
(Fri, 13 Jan 2017 13:07:20 GMT) (full text, mbox, link).
Message #24 received at 797799-done@bugs.debian.org (full text, mbox, reply):
Version: 5.6.26+dfsg-1+rm Dear submitter, as the package php5 has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/841781 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Feb 2017 07:39:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.