RE: what does the mysqli real connect MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT flag do? How to disable only CN validation?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks, I already saw that from the documentation. I wanted to know what is validation in this context?  Complete verification of the cert, or only CN verification.
Looking at the source it appears this flag disables both, in the underlying php/openssl, plus does something with ALLOW_SELF_SIGNED.

My problem now is:

  1.  Modify the C source code for mysqli to allow setting only the underlying php/openssl VERIFY_NAME only
  2.  Find a way to call the underlying PHP code outside mysqli  using the return value from DB:connect, or the passed in $dsn.  The functions are accessible, but I need to pass a context, and I don’t think $dsn gives me access to the context.  It maybe too late in the sequence of events to change any of that.  I was thinking of doing a context get, and a context set, i

John Wythe
Software & Systems Engineer
Epicor Software Corporation
www.epicor.com<http://www.epicor.com/>
Ph: 250-260-6495
E-Mail: jwythe@xxxxxxxxxx

From: Aziz Saleh <azizsaleh@xxxxxxxxx>
Sent: Wednesday, March 22, 2023 7:36 PM
To: John Wythe <JWythe@xxxxxxxxxx>
Cc: php-db@xxxxxxxxxxxxx
Subject: Re: [PHP-DB] what does the mysqli real connect MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT flag do? How to disable only CN validation?

ATTENTION
This email originated outside of Epicor. Please exercise caution when clicking links, opening attachments, or responding to this email.
That flag uses SSL encryption but disables validation of the provided SSL certificate. This is only for installations using MySQL Native Driver and MySQL 5.6 or later.

On Wed, Mar 22, 2023 at 4:50 PM John Wythe <JWythe@xxxxxxxxxx<mailto:JWythe@xxxxxxxxxx>> wrote:
mysqli_real_connect has a parameter called flags than can be passed to it.  One of the flags in MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT.

What does this flag do?  Does it only disable the CN validation, or does it also disable the certificate validation against a CA authority.

SSL_CONEXT talks about options

peer_name
peer_verify
peer_verify_name

I would like to use these to at least disable only the verify_name part, or maybe even set the peer_name and have both validations turned on.

Seems this context function is only available for streams and not mysqli.

Openssl seems to have the ability to do this, however it does not appear to be exposed via mysqli.  I am guessing the flag above equates to peer verify and not peer_verify_name, or equates to both.

I suppose I could download the source for php_pmysqli, and have a look, would that be the correct package to look at?


John Wythe
Software & Systems Engineer
Epicor Software Corporation
www.epicor.com<http://www.epicor.com/>
Ph: 250-260-6495
TF Support: 800-678-7423
E-Mail: jwythe@xxxxxxxxxx<mailto:jwythe@xxxxxxxxxx>
Support E-Mail: SilkSupport@xxxxxxxxxx<mailto:SilkSupport@xxxxxxxxxx>
Support portal: https://epicorcs.service-now.com/epiccare/
<http://www.epicor.com/services/default.aspx>
 <http://www.epicor.com/services/default.aspx>

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux