[php-maint] Bug#797799: Bug#797799: php5-mysqlnd: (Upstream Bug #68344): MySQLi does not provide way to disable peer certificate validation

Ondřej Surý ondrej at sury.org
Wed Sep 2 18:51:01 UTC 2015


Control: tags -1 -security
Control: severity -1 normal

Hi Adam,

is there a problem to generate a self-signed certificate that matches
the name of the server? If that's the only problem it could be easily
solved by that. Also there exists a viable workaround, just install
php5-mysql instead of php5-mysqlnd, thus I am lowering the severity of
the bug.

Also I am removing security tag because in fact this is not a security
bug since it doesn't lower the security of TLS (quite the opposite).

Cheers,
Ondrej

On Wed, Sep 2, 2015, at 18:19, Adam McKenna wrote:
> Package: php5-mysqlnd
> Version: 5.6.12+dfsg-0+deb8u1
> Severity: important
> Tags: security upstream patch
> 
> https://bugs.php.net/bug.php?id=68344
> 
> Description:
> ------------
> When the MySQLi extension is compiled against mysqlnd there is no method
> to disable peer_name validation. Since MySQL 5.6 now enables peer_name
> validation by DEFAULT those of us connecting to servers with self-signed
> certs via SSL are no longer able too.
> 
> I have tried to signal the default ssl stream context to disable
> peer_name validation but mysqli extension will NOT honor it.
> 
> If the remote-server's name does not match the name you are connecting to
> (as in, for example, a mysql cluster and connecting to a single node
> directly) you will not be able to connect at all in any way shape or form
> with mysqli.  -- The old mysql extension is not effected by this change
> as it honors the my.cnf mysql client's validation settings.
> 
> Test script:
> ---------------
> <?php
> 
> stream_context_set_default(array(
>         'ssl'   => array(
>                 'peer_name' => 'generic-server',
>                 'verify_peer' => FALSE,
>                 'verify_peer_name' => FALSE,
>                 'allow_self_signed' => TRUE,
>         ),
> ));
> 
>  $mysqli = mysqli_init();
>  mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
>  $conn =
>  mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
>  var_dump($conn);
> 
> ?>
> 
> 
> Expected result:
> ----------------
> I expect to be able to disable peer_name validation for those situations
> were the certificate name cant possibly be verified (ie: self-signed
> certs) and be able to connect to the mysql server.
> 
> Actual result:
> --------------
> MySQLi will NOT connect to mysql server and throws 4 warnings:
> 
> Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did
> not match expected CN=`dbserver.local'
> Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
> Warning: mysqli_real_connect(): [2002]  (trying to connect via
> tcp://dbserver.local:3306)
> Warning: mysqli_real_connect(): (HY000/2002):
> 
> Patch:
> 
> ; obey few default context options
> ; https://bugs.php.net/bug.php?id=68344
> diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c        2015-08-06
> 09:55:57.000000000 +0200
> +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c        2015-08-10
> 13:25:30.187912101 +0200
> @@ -29,6 +29,7 @@
>  #include "mysqlnd_ext_plugin.h"
>  #include "php_network.h"
>  #include "zend_ini.h"
> +#include "ext/standard/file.h"
>  #ifdef MYSQLND_COMPRESSION_ENABLED
>  #include <zlib.h>
>  #endif
> @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
>  		DBG_RETURN(FAIL);
>  	}
>  
> +       if (FG(default_context)) {
> +               zval **tmpzval = NULL;
> +               int i = 0;
> +               /* copy values from default stream settings */
> +               char *opts[] = { "allow_self_signed", "cafile", "capath",
> "ciphers", "CN_match",
> +                       "disable_compression", "local_cert", "local_pk",
> "no_ticket", "passphrase",
> +                       "peer_fingerprint", "peer_name", "SNI_enabled",
> "SNI_server_certs", "SNI_server_name",
> +                       "verify_depth", "verify_peer",
> "verify_peer_name", NULL };
> +               while (opts[i]) {
> +                       if
> (php_stream_context_get_option(FG(default_context), "ssl", opts[i],
> &tmpzval) == SUCCESS)
> +                               php_stream_context_set_option(context,
> "ssl", opts[i], *tmpzval);
> +                       i++;
> +               }
> +       }
> +
>  	if (net->data->options.ssl_key) {
>  		zval key_zval;
>  		ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
> 
> -- Package-specific info:
> ==== Additional PHP 5 information ====
> 
> ++++ PHP 5 SAPI (php5query -S): ++++
> fpm
> cli
> 
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> pdo (Enabled for fpm by maintainer script)
> pdo (Enabled for cli by maintainer script)
> readline (Enabled for fpm by maintainer script)
> readline (Enabled for cli by maintainer script)
> pdo_mysql (Enabled for fpm by maintainer script)
> pdo_mysql (Enabled for cli by maintainer script)
> json (Enabled for fpm by maintainer script)
> json (Enabled for cli by maintainer script)
> memcached (Enabled for fpm by local administrator)
> memcached (Enabled for cli by local administrator)
> mysqli (Enabled for fpm by maintainer script)
> mysqli (Enabled for cli by maintainer script)
> opcache (Enabled for fpm by maintainer script)
> opcache (Enabled for cli by maintainer script)
> mysql (Enabled for fpm by maintainer script)
> mysql (Enabled for cli by maintainer script)
> curl (Enabled for fpm by maintainer script)
> curl (Enabled for cli by maintainer script)
> mysqlnd (Enabled for fpm by maintainer script)
> mysqlnd (Enabled for cli by maintainer script)
> redis (Enabled for fpm by maintainer script)
> redis (Enabled for cli by maintainer script)
> 
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/mysqlnd.ini ****
> extension=mysqlnd.so
> 
> **** /etc/php5/mods-available/mysql.ini ****
> extension=mysql.so
> 
> **** /etc/php5/mods-available/mysqli.ini ****
> extension=mysqli.so
> 
> **** /etc/php5/mods-available/pdo_mysql.ini ****
> extension=pdo_mysql.so
> 
> 
> -- System Information:
> Debian Release: 8.1
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages php5-mysqlnd depends on:
> ii  libc6                          2.19-18
> ii  php5-common [phpapi-20131226]  5.6.12+dfsg-0+deb8u1
> ii  ucf                            3.0030
> 
> php5-mysqlnd recommends no packages.
> 
> php5-mysqlnd suggests no packages.
> 
> Versions of packages php5-common depends on:
> ii  libc6   2.19-18
> ii  lsof    4.86+dfsg-1
> ii  psmisc  22.21-2
> ii  sed     4.2.2-4+b1
> ii  ucf     3.0030
> 
> Versions of packages php5-common suggests:
> pn  php5-user-cache  <none>
> 
> Versions of packages php5-cli depends on:
> ii  libbz2-1.0        1.0.6-7+b3
> ii  libc6             2.19-18
> ii  libcomerr2        1.42.12-1.1
> ii  libdb5.3          5.3.28-9
> ii  libedit2          3.1-20140620-2
> ii  libgssapi-krb5-2  1.12.1+dfsg-19
> ii  libk5crypto3      1.12.1+dfsg-19
> ii  libkrb5-3         1.12.1+dfsg-19
> ii  libmagic1         1:5.22+15-2
> ii  libonig2          5.9.5-3.2
> ii  libpcre3          2:8.35-3.3
> ii  libqdbm14         1.8.78-5+b1
> ii  libssl1.0.0       1.0.1k-3+deb8u1
> ii  libxml2           2.9.1+dfsg1-5
> ii  mime-support      3.58
> ii  php5-common       5.6.12+dfsg-0+deb8u1
> ii  php5-json         1.3.6-1
> ii  tzdata            2015f-0+deb8u1
> ii  ucf               3.0030
> ii  zlib1g            1:1.2.8.dfsg-2+b1
> 
> Versions of packages php5-cli recommends:
> ii  php5-readline  5.6.12+dfsg-0+deb8u1
> 
> Versions of packages php5-cli suggests:
> pn  php-pear  <none>
> 
> Versions of packages php5-fpm depends on:
> ii  init-system-helpers  1.22
> ii  libapparmor1         2.9.0-3
> ii  libbz2-1.0           1.0.6-7+b3
> ii  libc6                2.19-18
> ii  libcomerr2           1.42.12-1.1
> ii  libdb5.3             5.3.28-9
> ii  libgssapi-krb5-2     1.12.1+dfsg-19
> ii  libk5crypto3         1.12.1+dfsg-19
> ii  libkrb5-3            1.12.1+dfsg-19
> ii  libmagic1            1:5.22+15-2
> ii  libonig2             5.9.5-3.2
> ii  libpcre3             2:8.35-3.3
> ii  libqdbm14            1.8.78-5+b1
> ii  libssl1.0.0          1.0.1k-3+deb8u1
> ii  libsystemd0          215-17+deb8u1
> ii  libxml2              2.9.1+dfsg1-5
> ii  mime-support         3.58
> ii  php5-cli             5.6.12+dfsg-0+deb8u1
> ii  php5-common          5.6.12+dfsg-0+deb8u1
> ii  php5-json            1.3.6-1
> ii  tzdata               2015f-0+deb8u1
> ii  ucf                  3.0030
> ii  zlib1g               1:1.2.8.dfsg-2+b1
> 
> Versions of packages php5-fpm suggests:
> pn  php-pear  <none>
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



More information about the pkg-php-maint mailing list