PHP 5.6, MySQL, SSL and self-signed certificates

Question

Having upgraded to PHP 5.6 lately I have encountered some problems with secure connections to MySQL. This concerns MySQLi as well as PDO.

Here are my settings:

MySQLi:

$db->ssl_set('/etc/mysql/certs/client-key.pem', '/etc/mysql/certs/client-cert.pem', '/etc/mysql/certs/ca-cert.pem', NULL, NULL);

PDO:

array(
 PDO::MYSQL_ATTR_SSL_KEY    => '/path/to/client-key.pem',
 PDO::MYSQL_ATTR_SSL_CERT   => '/path/to/client-cert.pem',
 PDO::MYSQL_ATTR_SSL_CA     => '/path/to/ca-cert.pem'
)

First, I get the error "dh key too small".

Second, I get the error "certificate verify failed".

I'm using a self-signed certificate which was generated with openssl according to this tutorial.

Answer 1

After doing some research I found the answers to my problems:

1. Error "dh key too small"

Due to logjam the DH key size now has to be larger than 768 bits while MySQL's default size is 512 bits. (Note: this will be fixed in MySQL 5.7). You have to provide an appropiate cipher in your connection, e.g. CAMELLIA128-SHA.

MySQLi:

$db->ssl_set('/etc/mysql/certs/client-key.pem', '/etc/mysql/certs/client-cert.pem', '/etc/mysql/certs/ca-cert.pem', NULL, 'CAMELLIA128-SHA');

PDO:

array(
 PDO::MYSQL_ATTR_SSL_KEY    => '/path/to/client-key.pem',
 PDO::MYSQL_ATTR_SSL_CERT   => '/path/to/client-cert.pem',
 PDO::MYSQL_ATTR_SSL_CA     => '/path/to/ca-cert.pem',
 PDO::MYSQL_ATTR_SSL_CIPHER => 'CAMELLIA128-SHA'
)

2. Error "certificate verify failed"

When generating your certificates you have to use the right "Common Name" for each one:

CA: hostname 
Server: FQDN, e.g. hostname.example.com 
Client: somename

The important part is the server certificate where the Common Name has to be the same as the host you are connecting to, e.g. hostname.example.com.