[php-maint] Bug#797799: Bug#797799: php5-mysqlnd: (Upstream Bug #68344): MySQLi does not provide way to disable peer certificate validation

Adam M flound1129 at gmail.com
Wed Sep 2 20:48:22 UTC 2015 

Unfortunately it's not quite that simple.  I recommend reading all of the
comments on the bug page.  This is a major issue and it's been going on for
over a year.

A single hostname will never work for a MySQL cluster where the clients
need to connect to different nodes with different names.

Even if you aren't using a cluster, making the hostname match doesn't
appear to work, possibly due to changes in either PHP or OpenSSL since the
bug was filed.  I dicked around for several hours generating new
certificates, making sure they all matched up to hostnames (both client and
server) and even adding my CA Cert to the keystore.  Nothing worked.  I
eventually recompiled PHP with the patch.

It *is* a security bug, because it forces people who do not have either the
patience or the knowledge to recompile the package with the patch to turn
off SSL between their web and DB server.  The other option is to downgrade
PHP to an earlier version which also has security implications.



On Wed, Sep 2, 2015 at 11:51 AM, Ondřej Surý <ondrej at sury.org> wrote:

> Control: tags -1 -security
> Control: severity -1 normal
>
> Hi Adam,
>
> is there a problem to generate a self-signed certificate that matches
> the name of the server? If that's the only problem it could be easily
> solved by that. Also there exists a viable workaround, just install
> php5-mysql instead of php5-mysqlnd, thus I am lowering the severity of
> the bug.
>
> Also I am removing security tag because in fact this is not a security
> bug since it doesn't lower the security of TLS (quite the opposite).
>
> Cheers,
> Ondrej
>
> On Wed, Sep 2, 2015, at 18:19, Adam McKenna wrote:
> > Package: php5-mysqlnd
> > Version: 5.6.12+dfsg-0+deb8u1
> > Severity: important
> > Tags: security upstream patch
> >
> > https://bugs.php.net/bug.php?id=68344
> >
> > Description:
> > ------------
> > When the MySQLi extension is compiled against mysqlnd there is no method
> > to disable peer_name validation. Since MySQL 5.6 now enables peer_name
> > validation by DEFAULT those of us connecting to servers with self-signed
> > certs via SSL are no longer able too.
> >
> > I have tried to signal the default ssl stream context to disable
> > peer_name validation but mysqli extension will NOT honor it.
> >
> > If the remote-server's name does not match the name you are connecting to
> > (as in, for example, a mysql cluster and connecting to a single node
> > directly) you will not be able to connect at all in any way shape or form
> > with mysqli.  -- The old mysql extension is not effected by this change
> > as it honors the my.cnf mysql client's validation settings.
> >
> > Test script:
> > ---------------
> > <?php
> >
> > stream_context_set_default(array(
> >         'ssl'   => array(
> >                 'peer_name' => 'generic-server',
> >                 'verify_peer' => FALSE,
> >                 'verify_peer_name' => FALSE,
> >                 'allow_self_signed' => TRUE,
> >         ),
> > ));
> >
> >  $mysqli = mysqli_init();
> >
> mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
> >  $conn =
> >
> mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
> >  var_dump($conn);
> >
> > ?>
> >
> >
> > Expected result:
> > ----------------
> > I expect to be able to disable peer_name validation for those situations
> > were the certificate name cant possibly be verified (ie: self-signed
> > certs) and be able to connect to the mysql server.
> >
> > Actual result:
> > --------------
> > MySQLi will NOT connect to mysql server and throws 4 warnings:
> >
> > Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did
> > not match expected CN=`dbserver.local'
> > Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
> > Warning: mysqli_real_connect(): [2002]  (trying to connect via
> > tcp://dbserver.local:3306)
> > Warning: mysqli_real_connect(): (HY000/2002):
> >
> > Patch:
> >
> > ; obey few default context options
> > ; https://bugs.php.net/bug.php?id=68344
> > diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> > php-5.6.12/ext/mysqlnd/mysqlnd_net.c
> > --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c        2015-08-06
> > 09:55:57.000000000 +0200
> > +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c        2015-08-10
> > 13:25:30.187912101 +0200
> > @@ -29,6 +29,7 @@
> >  #include "mysqlnd_ext_plugin.h"
> >  #include "php_network.h"
> >  #include "zend_ini.h"
> > +#include "ext/standard/file.h"
> >  #ifdef MYSQLND_COMPRESSION_ENABLED
> >  #include <zlib.h>
> >  #endif
> > @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
> >               DBG_RETURN(FAIL);
> >       }
> >
> > +       if (FG(default_context)) {
> > +               zval **tmpzval = NULL;
> > +               int i = 0;
> > +               /* copy values from default stream settings */
> > +               char *opts[] = { "allow_self_signed", "cafile", "capath",
> > "ciphers", "CN_match",
> > +                       "disable_compression", "local_cert", "local_pk",
> > "no_ticket", "passphrase",
> > +                       "peer_fingerprint", "peer_name", "SNI_enabled",
> > "SNI_server_certs", "SNI_server_name",
> > +                       "verify_depth", "verify_peer",
> > "verify_peer_name", NULL };
> > +               while (opts[i]) {
> > +                       if
> > (php_stream_context_get_option(FG(default_context), "ssl", opts[i],
> > &tmpzval) == SUCCESS)
> > +                               php_stream_context_set_option(context,
> > "ssl", opts[i], *tmpzval);
> > +                       i++;
> > +               }
> > +       }
> > +
> >       if (net->data->options.ssl_key) {
> >               zval key_zval;
> >               ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
> >
> > -- Package-specific info:
> > ==== Additional PHP 5 information ====
> >
> > ++++ PHP 5 SAPI (php5query -S): ++++
> > fpm
> > cli
> >
> > ++++ PHP 5 Extensions (php5query -M -v): ++++
> > pdo (Enabled for fpm by maintainer script)
> > pdo (Enabled for cli by maintainer script)
> > readline (Enabled for fpm by maintainer script)
> > readline (Enabled for cli by maintainer script)
> > pdo_mysql (Enabled for fpm by maintainer script)
> > pdo_mysql (Enabled for cli by maintainer script)
> > json (Enabled for fpm by maintainer script)
> > json (Enabled for cli by maintainer script)
> > memcached (Enabled for fpm by local administrator)
> > memcached (Enabled for cli by local administrator)
> > mysqli (Enabled for fpm by maintainer script)
> > mysqli (Enabled for cli by maintainer script)
> > opcache (Enabled for fpm by maintainer script)
> > opcache (Enabled for cli by maintainer script)
> > mysql (Enabled for fpm by maintainer script)
> > mysql (Enabled for cli by maintainer script)
> > curl (Enabled for fpm by maintainer script)
> > curl (Enabled for cli by maintainer script)
> > mysqlnd (Enabled for fpm by maintainer script)
> > mysqlnd (Enabled for cli by maintainer script)
> > redis (Enabled for fpm by maintainer script)
> > redis (Enabled for cli by maintainer script)
> >
> > ++++ Configuration files: ++++
> > **** /etc/php5/mods-available/mysqlnd.ini ****
> > extension=mysqlnd.so
> >
> > **** /etc/php5/mods-available/mysql.ini ****
> > extension=mysql.so
> >
> > **** /etc/php5/mods-available/mysqli.ini ****
> > extension=mysqli.so
> >
> > **** /etc/php5/mods-available/pdo_mysql.ini ****
> > extension=pdo_mysql.so
> >
> >
> > -- System Information:
> > Debian Release: 8.1
> >   APT prefers stable-updates
> >   APT policy: (500, 'stable-updates'), (500, 'stable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > Init: systemd (via /run/systemd/system)
> >
> > Versions of packages php5-mysqlnd depends on:
> > ii  libc6                          2.19-18
> > ii  php5-common [phpapi-20131226]  5.6.12+dfsg-0+deb8u1
> > ii  ucf                            3.0030
> >
> > php5-mysqlnd recommends no packages.
> >
> > php5-mysqlnd suggests no packages.
> >
> > Versions of packages php5-common depends on:
> > ii  libc6   2.19-18
> > ii  lsof    4.86+dfsg-1
> > ii  psmisc  22.21-2
> > ii  sed     4.2.2-4+b1
> > ii  ucf     3.0030
> >
> > Versions of packages php5-common suggests:
> > pn  php5-user-cache  <none>
> >
> > Versions of packages php5-cli depends on:
> > ii  libbz2-1.0        1.0.6-7+b3
> > ii  libc6             2.19-18
> > ii  libcomerr2        1.42.12-1.1
> > ii  libdb5.3          5.3.28-9
> > ii  libedit2          3.1-20140620-2
> > ii  libgssapi-krb5-2  1.12.1+dfsg-19
> > ii  libk5crypto3      1.12.1+dfsg-19
> > ii  libkrb5-3         1.12.1+dfsg-19
> > ii  libmagic1         1:5.22+15-2
> > ii  libonig2          5.9.5-3.2
> > ii  libpcre3          2:8.35-3.3
> > ii  libqdbm14         1.8.78-5+b1
> > ii  libssl1.0.0       1.0.1k-3+deb8u1
> > ii  libxml2           2.9.1+dfsg1-5
> > ii  mime-support      3.58
> > ii  php5-common       5.6.12+dfsg-0+deb8u1
> > ii  php5-json         1.3.6-1
> > ii  tzdata            2015f-0+deb8u1
> > ii  ucf               3.0030
> > ii  zlib1g            1:1.2.8.dfsg-2+b1
> >
> > Versions of packages php5-cli recommends:
> > ii  php5-readline  5.6.12+dfsg-0+deb8u1
> >
> > Versions of packages php5-cli suggests:
> > pn  php-pear  <none>
> >
> > Versions of packages php5-fpm depends on:
> > ii  init-system-helpers  1.22
> > ii  libapparmor1         2.9.0-3
> > ii  libbz2-1.0           1.0.6-7+b3
> > ii  libc6                2.19-18
> > ii  libcomerr2           1.42.12-1.1
> > ii  libdb5.3             5.3.28-9
> > ii  libgssapi-krb5-2     1.12.1+dfsg-19
> > ii  libk5crypto3         1.12.1+dfsg-19
> > ii  libkrb5-3            1.12.1+dfsg-19
> > ii  libmagic1            1:5.22+15-2
> > ii  libonig2             5.9.5-3.2
> > ii  libpcre3             2:8.35-3.3
> > ii  libqdbm14            1.8.78-5+b1
> > ii  libssl1.0.0          1.0.1k-3+deb8u1
> > ii  libsystemd0          215-17+deb8u1
> > ii  libxml2              2.9.1+dfsg1-5
> > ii  mime-support         3.58
> > ii  php5-cli             5.6.12+dfsg-0+deb8u1
> > ii  php5-common          5.6.12+dfsg-0+deb8u1
> > ii  php5-json            1.3.6-1
> > ii  tzdata               2015f-0+deb8u1
> > ii  ucf                  3.0030
> > ii  zlib1g               1:1.2.8.dfsg-2+b1
> >
> > Versions of packages php5-fpm suggests:
> > pn  php-pear  <none>
> >
> > -- no debconf information
> >
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>
>
> --
> Ondřej Surý <ondrej at sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
>



-- 
BTC: 1D8AM4aXWEbCX3RcemZjZBxB6X1uqhthqY  LTC:
LVtDsd9cWFU5ueQsJ5nNFgBRTghPUV4isg
*https://www.multipool.us <https://www.multipool.us> - Always mine the most
profitable coin - Now with SHA-256 ASIC Multiport!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20150902/1b0bc3ae/attachment-0001.html>

More information about the pkg-php-maint mailing list