Package: php5-mysqlnd Version: 5.6.12+dfsg-0+deb8u1 Severity: important Tags: security upstream patch
https://bugs.php.net/bug.php?id=68344 Description: ------------ When the MySQLi extension is compiled against mysqlnd there is no method to disable peer_name validation. Since MySQL 5.6 now enables peer_name validation by DEFAULT those of us connecting to servers with self-signed certs via SSL are no longer able too. I have tried to signal the default ssl stream context to disable peer_name validation but mysqli extension will NOT honor it. If the remote-server's name does not match the name you are connecting to (as in, for example, a mysql cluster and connecting to a single node directly) you will not be able to connect at all in any way shape or form with mysqli. -- The old mysql extension is not effected by this change as it honors the my.cnf mysql client's validation settings. Test script: --------------- <?php stream_context_set_default(array( 'ssl' => array( 'peer_name' => 'generic-server', 'verify_peer' => FALSE, 'verify_peer_name' => FALSE, 'allow_self_signed' => TRUE, ), )); $mysqli = mysqli_init(); mysqli_ssl_set($mysqli,"/etc/pki/mysql/client.key","/etc/pki/mysql/client.crt","/etc/pki/mysql/ca-cert.pem",NULL,NULL); $conn = mysqli_real_connect($mysqli,'dbserver.local','test','test1234','',NULL,'',MYSQLI_CLIENT_SSL); var_dump($conn); ?> Expected result: ---------------- I expect to be able to disable peer_name validation for those situations were the certificate name cant possibly be verified (ie: self-signed certs) and be able to connect to the mysql server. Actual result: -------------- MySQLi will NOT connect to mysql server and throws 4 warnings: Warning: mysqli_real_connect(): Peer certificate CN=`generic-server' did not match expected CN=`dbserver.local' Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL Warning: mysqli_real_connect(): [2002] (trying to connect via tcp://dbserver.local:3306) Warning: mysqli_real_connect(): (HY000/2002): Patch: ; obey few default context options ; https://bugs.php.net/bug.php?id=68344 diff -urbB php-5.6.12/ext/mysqlnd/mysqlnd_net.c php-5.6.12/ext/mysqlnd/mysqlnd_net.c --- php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-06 09:55:57.000000000 +0200 +++ php-5.6.12/ext/mysqlnd/mysqlnd_net.c 2015-08-10 13:25:30.187912101 +0200 @@ -29,6 +29,7 @@ #include "mysqlnd_ext_plugin.h" #include "php_network.h" #include "zend_ini.h" +#include "ext/standard/file.h" #ifdef MYSQLND_COMPRESSION_ENABLED #include <zlib.h> #endif @@ -868,6 +868,21 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)( DBG_RETURN(FAIL); } + if (FG(default_context)) { + zval **tmpzval = NULL; + int i = 0; + /* copy values from default stream settings */ + char *opts[] = { "allow_self_signed", "cafile", "capath", "ciphers", "CN_match", + "disable_compression", "local_cert", "local_pk", "no_ticket", "passphrase", + "peer_fingerprint", "peer_name", "SNI_enabled", "SNI_server_certs", "SNI_server_name", + "verify_depth", "verify_peer", "verify_peer_name", NULL }; + while (opts[i]) { + if (php_stream_context_get_option(FG(default_context), "ssl", opts[i], &tmpzval) == SUCCESS) + php_stream_context_set_option(context, "ssl", opts[i], *tmpzval); + i++; + } + } + if (net->data->options.ssl_key) { zval key_zval; ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0); -- Package-specific info: ==== Additional PHP 5 information ==== ++++ PHP 5 SAPI (php5query -S): ++++ fpm cli ++++ PHP 5 Extensions (php5query -M -v): ++++ pdo (Enabled for fpm by maintainer script) pdo (Enabled for cli by maintainer script) readline (Enabled for fpm by maintainer script) readline (Enabled for cli by maintainer script) pdo_mysql (Enabled for fpm by maintainer script) pdo_mysql (Enabled for cli by maintainer script) json (Enabled for fpm by maintainer script) json (Enabled for cli by maintainer script) memcached (Enabled for fpm by local administrator) memcached (Enabled for cli by local administrator) mysqli (Enabled for fpm by maintainer script) mysqli (Enabled for cli by maintainer script) opcache (Enabled for fpm by maintainer script) opcache (Enabled for cli by maintainer script) mysql (Enabled for fpm by maintainer script) mysql (Enabled for cli by maintainer script) curl (Enabled for fpm by maintainer script) curl (Enabled for cli by maintainer script) mysqlnd (Enabled for fpm by maintainer script) mysqlnd (Enabled for cli by maintainer script) redis (Enabled for fpm by maintainer script) redis (Enabled for cli by maintainer script) ++++ Configuration files: ++++ **** /etc/php5/mods-available/mysqlnd.ini **** extension=mysqlnd.so **** /etc/php5/mods-available/mysql.ini **** extension=mysql.so **** /etc/php5/mods-available/mysqli.ini **** extension=mysqli.so **** /etc/php5/mods-available/pdo_mysql.ini **** extension=pdo_mysql.so -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages php5-mysqlnd depends on: ii libc6 2.19-18 ii php5-common [phpapi-20131226] 5.6.12+dfsg-0+deb8u1 ii ucf 3.0030 php5-mysqlnd recommends no packages. php5-mysqlnd suggests no packages. Versions of packages php5-common depends on: ii libc6 2.19-18 ii lsof 4.86+dfsg-1 ii psmisc 22.21-2 ii sed 4.2.2-4+b1 ii ucf 3.0030 Versions of packages php5-common suggests: pn php5-user-cache <none> Versions of packages php5-cli depends on: ii libbz2-1.0 1.0.6-7+b3 ii libc6 2.19-18 ii libcomerr2 1.42.12-1.1 ii libdb5.3 5.3.28-9 ii libedit2 3.1-20140620-2 ii libgssapi-krb5-2 1.12.1+dfsg-19 ii libk5crypto3 1.12.1+dfsg-19 ii libkrb5-3 1.12.1+dfsg-19 ii libmagic1 1:5.22+15-2 ii libonig2 5.9.5-3.2 ii libpcre3 2:8.35-3.3 ii libqdbm14 1.8.78-5+b1 ii libssl1.0.0 1.0.1k-3+deb8u1 ii libxml2 2.9.1+dfsg1-5 ii mime-support 3.58 ii php5-common 5.6.12+dfsg-0+deb8u1 ii php5-json 1.3.6-1 ii tzdata 2015f-0+deb8u1 ii ucf 3.0030 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages php5-cli recommends: ii php5-readline 5.6.12+dfsg-0+deb8u1 Versions of packages php5-cli suggests: pn php-pear <none> Versions of packages php5-fpm depends on: ii init-system-helpers 1.22 ii libapparmor1 2.9.0-3 ii libbz2-1.0 1.0.6-7+b3 ii libc6 2.19-18 ii libcomerr2 1.42.12-1.1 ii libdb5.3 5.3.28-9 ii libgssapi-krb5-2 1.12.1+dfsg-19 ii libk5crypto3 1.12.1+dfsg-19 ii libkrb5-3 1.12.1+dfsg-19 ii libmagic1 1:5.22+15-2 ii libonig2 5.9.5-3.2 ii libpcre3 2:8.35-3.3 ii libqdbm14 1.8.78-5+b1 ii libssl1.0.0 1.0.1k-3+deb8u1 ii libsystemd0 215-17+deb8u1 ii libxml2 2.9.1+dfsg1-5 ii mime-support 3.58 ii php5-cli 5.6.12+dfsg-0+deb8u1 ii php5-common 5.6.12+dfsg-0+deb8u1 ii php5-json 1.3.6-1 ii tzdata 2015f-0+deb8u1 ii ucf 3.0030 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages php5-fpm suggests: pn php-pear <none> -- no debconf information
