[Secure-testing-team] Bug#797799: php5-mysqlnd: (Upstream Bug #68344): MySQLi does not provide way to disable peer certificate validation

Adam McKenna flound1129 at gmail.com
Wed Sep 2 16:19:25 UTC 2015 

Package: php5-mysqlnd
Version: 5.6.12+dfsg-0+deb8u1
Severity: important
Tags: security upstream patch

https://bugs.php.net/bug.php?id=68344

Description:
------------
When the MySQLi extension is compiled against mysqlnd there is no method to disable peer_name validation. Since MySQL 5.6 now enables peer_name validation by DEFAULT those of us connecting to servers with self-signed certs via SSL are no longer able too.

I have tried to signal the default ssl stream context to disable peer_name validation but mysqli extension will NOT honor it.

If the remote-server's name does not match the name you are connecting to (as in, for example, a mysql cluster and connecting to a single node directly) you will not be able to connect at all in any way shape or form with mysqli.  -- The old mysql extension is not effected by this change as it honors the my.cnf mysql client's validation settings.

Test script:
---------------
<?php

stream_context_set_default(array(
        'ssl'   => array(
                'peer_name' => 'generic-server',
                'verify_peer' => FALSE,
                'verify_peer_name' => FALSE,
                'allow_self_signed' => TRUE,
        ),
));

 $mysqli = mysqli_init();
 mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL);
 $conn = mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL);
 var_dump($conn);

?>


Expected result:
----------------
I expect to be able to disable peer_name validation for those situations were the certificate name cant possibly be verified (ie: self-signed certs) and be able to connect to the mysql server.

Actual result:
--------------
MySQLi will NOT connect to mysql server and throws 4 warnings:

Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did not match expected CN=`dbserver.local'
Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL
Warning: mysqli_real_connect(): [2002]  (trying to connect via tcp://dbserver.local:3306)
Warning: mysqli_real_connect(): (HY000/2002):

Patch:

; obey few default context options
; https://bugs.php.net/bug.php?id=68344
diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c php-5.6.12/ext/mysqlnd/mysqlnd_net.c
--- php-5.6.12/ext/mysqlnd/mysqlnd_net.c	2015-08-06 09:55:57.000000000 +0200
+++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c	2015-08-10 13:25:30.187912101 +0200
@@ -29,6 +29,7 @@
 #include "mysqlnd_ext_plugin.h"
 #include "php_network.h"
 #include "zend_ini.h"
+#include "ext/standard/file.h"
 #ifdef MYSQLND_COMPRESSION_ENABLED
 #include <zlib.h>
 #endif
@@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(
 		DBG_RETURN(FAIL);
 	}
 
+	if (FG(default_context)) {
+		zval **tmpzval = NULL;
+		int i = 0;
+		/* copy values from default stream settings */
+		char *opts[] = { "allow_self_signed", "cafile", "capath", "ciphers", "CN_match",
+			"disable_compression", "local_cert", "local_pk", "no_ticket", "passphrase",
+			"peer_fingerprint", "peer_name", "SNI_enabled", "SNI_server_certs", "SNI_server_name",
+			"verify_depth", "verify_peer", "verify_peer_name", NULL };
+		while (opts[i]) {
+			if (php_stream_context_get_option(FG(default_context), "ssl", opts[i], &tmpzval) == SUCCESS)
+				php_stream_context_set_option(context, "ssl", opts[i], *tmpzval);
+			i++;
+		}
+	}
+
 	if (net->data->options.ssl_key) {
 		zval key_zval;
 		ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);

-- Package-specific info:
==== Additional PHP 5 information ====

++++ PHP 5 SAPI (php5query -S): ++++
fpm
cli

++++ PHP 5 Extensions (php5query -M -v): ++++
pdo (Enabled for fpm by maintainer script)
pdo (Enabled for cli by maintainer script)
readline (Enabled for fpm by maintainer script)
readline (Enabled for cli by maintainer script)
pdo_mysql (Enabled for fpm by maintainer script)
pdo_mysql (Enabled for cli by maintainer script)
json (Enabled for fpm by maintainer script)
json (Enabled for cli by maintainer script)
memcached (Enabled for fpm by local administrator)
memcached (Enabled for cli by local administrator)
mysqli (Enabled for fpm by maintainer script)
mysqli (Enabled for cli by maintainer script)
opcache (Enabled for fpm by maintainer script)
opcache (Enabled for cli by maintainer script)
mysql (Enabled for fpm by maintainer script)
mysql (Enabled for cli by maintainer script)
curl (Enabled for fpm by maintainer script)
curl (Enabled for cli by maintainer script)
mysqlnd (Enabled for fpm by maintainer script)
mysqlnd (Enabled for cli by maintainer script)
redis (Enabled for fpm by maintainer script)
redis (Enabled for cli by maintainer script)

++++ Configuration files: ++++
**** /etc/php5/mods-available/mysqlnd.ini ****
extension=mysqlnd.so

**** /etc/php5/mods-available/mysql.ini ****
extension=mysql.so

**** /etc/php5/mods-available/mysqli.ini ****
extension=mysqli.so

**** /etc/php5/mods-available/pdo_mysql.ini ****
extension=pdo_mysql.so


-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages php5-mysqlnd depends on:
ii  libc6                          2.19-18
ii  php5-common [phpapi-20131226]  5.6.12+dfsg-0+deb8u1
ii  ucf                            3.0030

php5-mysqlnd recommends no packages.

php5-mysqlnd suggests no packages.

Versions of packages php5-common depends on:
ii  libc6   2.19-18
ii  lsof    4.86+dfsg-1
ii  psmisc  22.21-2
ii  sed     4.2.2-4+b1
ii  ucf     3.0030

Versions of packages php5-common suggests:
pn  php5-user-cache  <none>

Versions of packages php5-cli depends on:
ii  libbz2-1.0        1.0.6-7+b3
ii  libc6             2.19-18
ii  libcomerr2        1.42.12-1.1
ii  libdb5.3          5.3.28-9
ii  libedit2          3.1-20140620-2
ii  libgssapi-krb5-2  1.12.1+dfsg-19
ii  libk5crypto3      1.12.1+dfsg-19
ii  libkrb5-3         1.12.1+dfsg-19
ii  libmagic1         1:5.22+15-2
ii  libonig2          5.9.5-3.2
ii  libpcre3          2:8.35-3.3
ii  libqdbm14         1.8.78-5+b1
ii  libssl1.0.0       1.0.1k-3+deb8u1
ii  libxml2           2.9.1+dfsg1-5
ii  mime-support      3.58
ii  php5-common       5.6.12+dfsg-0+deb8u1
ii  php5-json         1.3.6-1
ii  tzdata            2015f-0+deb8u1
ii  ucf               3.0030
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages php5-cli recommends:
ii  php5-readline  5.6.12+dfsg-0+deb8u1

Versions of packages php5-cli suggests:
pn  php-pear  <none>

Versions of packages php5-fpm depends on:
ii  init-system-helpers  1.22
ii  libapparmor1         2.9.0-3
ii  libbz2-1.0           1.0.6-7+b3
ii  libc6                2.19-18
ii  libcomerr2           1.42.12-1.1
ii  libdb5.3             5.3.28-9
ii  libgssapi-krb5-2     1.12.1+dfsg-19
ii  libk5crypto3         1.12.1+dfsg-19
ii  libkrb5-3            1.12.1+dfsg-19
ii  libmagic1            1:5.22+15-2
ii  libonig2             5.9.5-3.2
ii  libpcre3             2:8.35-3.3
ii  libqdbm14            1.8.78-5+b1
ii  libssl1.0.0          1.0.1k-3+deb8u1
ii  libsystemd0          215-17+deb8u1
ii  libxml2              2.9.1+dfsg1-5
ii  mime-support         3.58
ii  php5-cli             5.6.12+dfsg-0+deb8u1
ii  php5-common          5.6.12+dfsg-0+deb8u1
ii  php5-json            1.3.6-1
ii  tzdata               2015f-0+deb8u1
ii  ucf                  3.0030
ii  zlib1g               1:1.2.8.dfsg-2+b1

Versions of packages php5-fpm suggests:
pn  php-pear  <none>

-- no debconf information

More information about the Secure-testing-team mailing list