[php-maint] Bug#797799: Bug#797799: php5-mysqlnd: (Upstream Bug #68344): MySQLi does not provide way to disable peer certificate validation
Ondřej Surý
ondrej at sury.org
Wed Sep 2 18:51:01 UTC 2015
Control: tags -1 -security
Control: severity -1 normal
Hi Adam,
is there a problem to generate a self-signed certificate that matches
the name of the server? If that's the only problem it could be easily
solved by that. Also there exists a viable workaround, just install
php5-mysql instead of php5-mysqlnd, thus I am lowering the severity of
the bug.
Also I am removing security tag because in fact this is not a security
bug since it doesn't lower the security of TLS (quite the opposite).
Cheers,
Ondrej
On Wed, Sep 2, 2015, at 18:19, Adam McKenna wrote:
> Package: php5-mysqlnd
> Version: 5.6.12+dfsg-0+deb8u1
> Severity: important
> Tags: security upstream patch
>
> https://bugs.php.net/bug.php?id=68344
>
> Description:
> ------------
> When the MySQLi extension is compiled against mysqlnd there is no method
> to disable peer_name validation. Since MySQL 5.6 now enables peer_name
> validation by DEFAULT those of us connecting to servers with self-signed
> certs via SSL are no longer able too.
>
> I have tried to signal the default ssl stream context to disable
> peer_name validation but mysqli extension will NOT honor it.
>
> If the remote-server's name does not match the name you are connecting to
> (as in, for example, a mysql cluster and connecting to a single node
> directly) you will not be able to connect at all in any way shape or form
> with mysqli. -- The old mysql extension is not effected by this change
> as it honors the my.cnf mysql client's validation settings.
>
> Test script:
> ---------------
> <?php
>
> stream_context_set_default(array(
> 'ssl' => array(
> 'peer_name' => 'generic-server',
> 'verify_peer' => FALSE,
> 'verify_peer_name' => FALSE,
> 'allow_self_signed' => TRUE,
> ),
> ));
>
> $mysqli = mysqli_init();
> mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
> $conn =
> mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
> var_dump($conn);
>
> ?>
>
>
> Expected result:
> ----------------
> I expect to be able to disable peer_name validation for those situations
> were the certificate name cant possibly be verified (ie: self-signed
> certs) and be able to connect to the mysql server.
>
> Actual result:
> --------------
> MySQLi will NOT connect to mysql server and throws 4 warnings:
>
> Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did
> not match expected CN=`dbserver.local'
> Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
> Warning: mysqli_real_connect(): [2002] (trying to connect via
> tcp://dbserver.local:3306)
> Warning: mysqli_real_connect(): (HY000/2002):
>
> Patch:
>
> ; obey few default context options
> ; https://bugs.php.net/bug.php?id=68344
> diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-06
> 09:55:57.000000000 +0200
> +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-10
> 13:25:30.187912101 +0200
> @@ -29,6 +29,7 @@
> #include "mysqlnd_ext_plugin.h"
> #include "php_network.h"
> #include "zend_ini.h"
> +#include "ext/standard/file.h"
> #ifdef MYSQLND_COMPRESSION_ENABLED
> #include <zlib.h>
> #endif
> @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
> DBG_RETURN(FAIL);
> }
>
> + if (FG(default_context)) {
> + zval **tmpzval = NULL;
> + int i = 0;
> + /* copy values from default stream settings */
> + char *opts[] = { "allow_self_signed", "cafile", "capath",
> "ciphers", "CN_match",
> + "disable_compression", "local_cert", "local_pk",
> "no_ticket", "passphrase",
> + "peer_fingerprint", "peer_name", "SNI_enabled",
> "SNI_server_certs", "SNI_server_name",
> + "verify_depth", "verify_peer",
> "verify_peer_name", NULL };
> + while (opts[i]) {
> + if
> (php_stream_context_get_option(FG(default_context), "ssl", opts[i],
> &tmpzval) == SUCCESS)
> + php_stream_context_set_option(context,
> "ssl", opts[i], *tmpzval);
> + i++;
> + }
> + }
> +
> if (net->data->options.ssl_key) {
> zval key_zval;
> ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
>
> -- Package-specific info:
> ==== Additional PHP 5 information ====
>
> ++++ PHP 5 SAPI (php5query -S): ++++
> fpm
> cli
>
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> pdo (Enabled for fpm by maintainer script)
> pdo (Enabled for cli by maintainer script)
> readline (Enabled for fpm by maintainer script)
> readline (Enabled for cli by maintainer script)
> pdo_mysql (Enabled for fpm by maintainer script)
> pdo_mysql (Enabled for cli by maintainer script)
> json (Enabled for fpm by maintainer script)
> json (Enabled for cli by maintainer script)
> memcached (Enabled for fpm by local administrator)
> memcached (Enabled for cli by local administrator)
> mysqli (Enabled for fpm by maintainer script)
> mysqli (Enabled for cli by maintainer script)
> opcache (Enabled for fpm by maintainer script)
> opcache (Enabled for cli by maintainer script)
> mysql (Enabled for fpm by maintainer script)
> mysql (Enabled for cli by maintainer script)
> curl (Enabled for fpm by maintainer script)
> curl (Enabled for cli by maintainer script)
> mysqlnd (Enabled for fpm by maintainer script)
> mysqlnd (Enabled for cli by maintainer script)
> redis (Enabled for fpm by maintainer script)
> redis (Enabled for cli by maintainer script)
>
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/mysqlnd.ini ****
> extension=mysqlnd.so
>
> **** /etc/php5/mods-available/mysql.ini ****
> extension=mysql.so
>
> **** /etc/php5/mods-available/mysqli.ini ****
> extension=mysqli.so
>
> **** /etc/php5/mods-available/pdo_mysql.ini ****
> extension=pdo_mysql.so
>
>
> -- System Information:
> Debian Release: 8.1
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages php5-mysqlnd depends on:
> ii libc6 2.19-18
> ii php5-common [phpapi-20131226] 5.6.12+dfsg-0+deb8u1
> ii ucf 3.0030
>
> php5-mysqlnd recommends no packages.
>
> php5-mysqlnd suggests no packages.
>
> Versions of packages php5-common depends on:
> ii libc6 2.19-18
> ii lsof 4.86+dfsg-1
> ii psmisc 22.21-2
> ii sed 4.2.2-4+b1
> ii ucf 3.0030
>
> Versions of packages php5-common suggests:
> pn php5-user-cache <none>
>
> Versions of packages php5-cli depends on:
> ii libbz2-1.0 1.0.6-7+b3
> ii libc6 2.19-18
> ii libcomerr2 1.42.12-1.1
> ii libdb5.3 5.3.28-9
> ii libedit2 3.1-20140620-2
> ii libgssapi-krb5-2 1.12.1+dfsg-19
> ii libk5crypto3 1.12.1+dfsg-19
> ii libkrb5-3 1.12.1+dfsg-19
> ii libmagic1 1:5.22+15-2
> ii libonig2 5.9.5-3.2
> ii libpcre3 2:8.35-3.3
> ii libqdbm14 1.8.78-5+b1
> ii libssl1.0.0 1.0.1k-3+deb8u1
> ii libxml2 2.9.1+dfsg1-5
> ii mime-support 3.58
> ii php5-common 5.6.12+dfsg-0+deb8u1
> ii php5-json 1.3.6-1
> ii tzdata 2015f-0+deb8u1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-2+b1
>
> Versions of packages php5-cli recommends:
> ii php5-readline 5.6.12+dfsg-0+deb8u1
>
> Versions of packages php5-cli suggests:
> pn php-pear <none>
>
> Versions of packages php5-fpm depends on:
> ii init-system-helpers 1.22
> ii libapparmor1 2.9.0-3
> ii libbz2-1.0 1.0.6-7+b3
> ii libc6 2.19-18
> ii libcomerr2 1.42.12-1.1
> ii libdb5.3 5.3.28-9
> ii libgssapi-krb5-2 1.12.1+dfsg-19
> ii libk5crypto3 1.12.1+dfsg-19
> ii libkrb5-3 1.12.1+dfsg-19
> ii libmagic1 1:5.22+15-2
> ii libonig2 5.9.5-3.2
> ii libpcre3 2:8.35-3.3
> ii libqdbm14 1.8.78-5+b1
> ii libssl1.0.0 1.0.1k-3+deb8u1
> ii libsystemd0 215-17+deb8u1
> ii libxml2 2.9.1+dfsg1-5
> ii mime-support 3.58
> ii php5-cli 5.6.12+dfsg-0+deb8u1
> ii php5-common 5.6.12+dfsg-0+deb8u1
> ii php5-json 1.3.6-1
> ii tzdata 2015f-0+deb8u1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-2+b1
>
> Versions of packages php5-fpm suggests:
> pn php-pear <none>
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list