Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does MySQLi verify server certificates by default when using SSL?

Tags:

php

mysql

ssl

This is how I usually connect to a MySQL database using SSL:

$db = mysqli_init();
mysqli_ssl_set(
    $db,
    NULL,
    NULL,
    '/etc/ssl/my-certs/ssl-ca.crt.pem',
    NULL,
    NULL
);
mysqli_real_connect(
    $db,
    'db.example.com',
    'john',
    '123456',
    NULL,
    NULL,
    NULL,
    MYSQLI_CLIENT_SSL
);

When reading the PHP documentation for mysqli::options, I noticed the existence of the MYSQLI_OPT_SSL_VERIFY_SERVER_CERT option, which I assume is an option to make MySQLi verify the server certificate. Unfortunately, there is no description of MYSQLI_OPT_SSL_VERIFY_SERVER_CERT in the documentation. The existence of this option makes me wonder if I have been connecting to MySQL insecurely. Now I'm wondering if the proper way to connect to MySQL securely is like this:

$db = mysqli_init();
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);  // <- Attention.
mysqli_ssl_set(
    $db,
    NULL,
    NULL,
    '/etc/ssl/my-certs/ssl-ca.crt.pem',
    NULL,
    NULL
);
mysqli_real_connect(
    $db,
    'db.example.com',
    'john',
    '123456',
    NULL,
    NULL,
    NULL,
    MYSQLI_CLIENT_SSL
);

So, my questions are:

  1. Is MYSQLI_OPT_SSL_VERIFY_SERVER_CERT set to true by default?
  2. What does MYSQLI_OPT_SSL_VERIFY_SERVER_CERT do? (citations please)
  3. What is the proper (secure) way to connect to a remote MySQL database using MySQLi?

(Note: this is a follow-up question on What's the difference between MYSQLI_CLIENT_SSL and MYSQLI_OPT_SSL_VERIFY_SERVER_CERT?)

like image 232
Flux Avatar asked Mar 05 '23 16:03

Flux

1 Answers

Requested answer

The truth is, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT has no effect. It is an unused constant. I just verified this by scanning the source code.

So, your question remains: Are MySQLi connections checking server certificates by default?

Short answer: Yes, they are.

Long answer: Although certificates are not matched against a list of commonly trusted Certificate Authorities, the provided CA (even if self-signed) is still verified on connection establishment to mitigate MITM-attacks.

Answer from engineering perspective

When connecting to a MySQL server, I would not recommend using SSL connections at all, as they add several layers of disadvantages (encryption, bandwidth, decryption, increased memory usage, increased overall roundtrip time). A much better approach is to connect within a trusted local network or use some type of well authenticated SOAP interface to retrieve and manipulate data if the server must be outside a local network by design (in which case the design just seems wrong).

like image 173
Gerald Avatar answered Apr 05 '23 19:04

Gerald
Sign in to Comment

Related questions

Laravel API, the right way to pass multiple objects in one POST request
Is Paypal Checkout Client Integration safe for browser?
php 7.2 finfo magic file
Get user information in Twitter API using bearer token
Why isn't Wordpress' 'save_post_{$post->post_type}' action hook passing the correct number of arguments?
Unexpected namespace behavior with closures
Symfony 4 use Doctrine inside a Service
What are the advantages of storing info on .env files as opposed to .php files?
Limit Words not Characters in Laravel
Message: file_get_contents(sso.json): failed to open stream: No such file or directory
How to access Laravel Nova from the root?
How to display date as label on x-axis in chart.js
Given stream is not seekable In FPDI
Laravel: PHP Parse error: syntax error, unexpected '?' in /vendor/laravel/framework/src/Illuminate/Foundation/helpers.php on line 500
Find unknown array key in php?
How to output a string with new lines in a log file using Monolog?
Is there a faster way to get a value from a JSON array than foreach?
Different recipients based on product category in WooCommerce email notification
Is there a way to access relationship attributes as own in laravel model?
Laravel: How do I validate a date ONLY if the date exists?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!