Sunday, 27 January 2019

Does MySQLi verify server certificates by default when using SSL?

This is how I usually connect to a MySQL database using SSL:

$db = mysqli_init();
mysqli_ssl_set(
    $db,
    NULL,
    NULL,
    '/etc/ssl/my-certs/ssl-ca.crt.pem',
    NULL,
    NULL
);
mysqli_real_connect(
    $db,
    'db.example.com',
    'john',
    '123456',
    NULL,
    NULL,
    NULL,
    MYSQLI_CLIENT_SSL
);

When reading the PHP documentation for mysqli::options, I noticed the existence of the MYSQLI_OPT_SSL_VERIFY_SERVER_CERT option, which I assume is an option to make MySQLi verify the server certificate. Unfortunately, there is no description of MYSQLI_OPT_SSL_VERIFY_SERVER_CERT in the documentation. The existence of this option makes me wonder if I have been connecting to MySQL insecurely. Now I'm wondering if the proper way to connect to MySQL securely is like this:

$db = mysqli_init();
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);  // <- Attention.
mysqli_ssl_set(
    $db,
    NULL,
    NULL,
    '/etc/ssl/my-certs/ssl-ca.crt.pem',
    NULL,
    NULL
);
mysqli_real_connect(
    $db,
    'db.example.com',
    'john',
    '123456',
    NULL,
    NULL,
    NULL,
    MYSQLI_CLIENT_SSL
);

So, my questions are:

  1. Is MYSQLI_OPT_SSL_VERIFY_SERVER_CERT set to true by default?
  2. What does MYSQLI_OPT_SSL_VERIFY_SERVER_CERT do? (citations please)
  3. What is the proper (secure) way to connect to a remote MySQL database using MySQLi?

(Note: this is a follow-up question on What's the difference between MYSQLI_CLIENT_SSL and MYSQLI_OPT_SSL_VERIFY_SERVER_CERT?)



from Does MySQLi verify server certificates by default when using SSL?

No comments:

Post a Comment