PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT still checking CN

[drewwynne0]

Description

Apologies, may not be a bug but cannot seems to find anything after extensive research.

The following code:

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,

Resulted in this output:

Peer certificate CN=`*.proxy-~~~.eu-west-2.rds.amazonaws.com' did not match expected CN=`~~~.**endpoint**.proxy-~~~.eu-west-2.rds.amazonaws.com'

~~~ used for masking
But I expected this output instead:

Successful mysql connection

There doesn't seem to be a specific way to force --ssl-mode=VERIFY_CA
mysql cli connection works fine with this flag

Scenario - I am utilising AWS RDS Proxy with a Read/Write endpoint and a Read endpoint. Read/write connects fine, but when trying to connect to the read only endpoint, receive the above error, assuming that the read only is within the subdomain .endpoint.proxy- whereas the read/write is with .proxy-

PHP Version

PHP 8.1.6

Operating System

Windows 11 // Ubuntu 20.04

[cmb69]

Do you use mysqlnd or libmysql-client (see PHP info)?

[drewwynne0]

mysqlnd

Just freshly installed php as working on a different machine.

[PHP Modules]
bcmath
calendar
Core
ctype
curl
date
dom
fileinfo
filter
hash
iconv
json
libxml
mbstring
mysqlnd
openssl
pcre
PDO
pdo_mysql
Phar
readline
Reflection
session
SimpleXML
SPL
standard
tokenizer
xml
xmlreader
xmlwriter
zip
zlib

[cmb69]

Thank you! In this case, the verification is done via the SSL stream context options verify_peer and verify_peer_name, so this is not necessarily a mysqlnd issue. I wonder, though, how libmysql-client would behave.

[james-green-affinity]

I have a similar setup as mentioned above, however I am using mariaDB client and connecting to an aurora DB via RDS proxy. Unfortunately for me --ssl-mode=VERIFY_CA is NOT an option within mariaDB client so I need to find a way to use "--ssl" instead.

https://mariadb.com/kb/en/mysql-command-line-client/#:~:text=mysql%20(from%20MariaDB%2010.4.,in%20an%20ASCII%2Dtable%20format.

[piotrekkr]

I just spotted this same issue on my setup. I'm using docker image of PHP 8.2.12

root@spooler-qa4-3b64c:/var/www# php -v
PHP 8.2.12 (cli) (built: Oct 28 2023 01:45:57) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.12, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.12, Copyright (c), by Zend Technologies
    with ddtrace v1.1.0, Copyright Datadog, by Datadog
    with datadog-profiling v1.1.0, Copyright Datadog, by Datadog
    with ddappsec v1.1.0, Copyright Datadog, by Datadog

php -i shows this

mysqlnd
mysqlnd => enabled
Version => mysqlnd 8.2.12
Loaded plugins => mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_caching_sha2_password,auth_plugin_sha256_password
API Extensions => pdo_mysql
PDO drivers => sqlite, mysql
pdo_mysql
Client API version => mysqlnd 8.2.12

I have set driver options like:

array(5) {
  [1002]=>
  string(39) "SET SESSION max_execution_time = 120000"
  [1014]=>
  int(0)
  [1009]=>
  string(27) "/secrets/cloudsql/client_ca"
  [1008]=>
  string(29) "/secrets/cloudsql/client_cert"
  [1007]=>
  string(28) "/secrets/cloudsql/client_key"
}

But even when PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT is set to 0 I get this error when connecting to GCP mysql instance:

PDO::__construct(): Peer certificate CN=`xxxx-xx:xxx-xxxx' did not match expected CN=`XX.XX.XX.XX'

Is there any workaround for this?

[nielsdos]

I tried this on 8.2-dev and 8.2.12, but I can't reproduce this.
This is my test script:

<?php
$host = 'ARCH.localdomain';
$dbname = 'php';
$username = 'root';
$password = '1234';

$caCert = '/home/niels/gh8577/ca-cert.pem';
$clientCert = '/home/niels/gh8577/client-cert.pem';
$clientKey = '/home/niels/gh8577/client-key.pem';

$options = [
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
    PDO::MYSQL_ATTR_SSL_CA => $caCert,
    PDO::MYSQL_ATTR_SSL_CERT => $clientCert,
    PDO::MYSQL_ATTR_SSL_KEY => $clientKey,
];

$pdo = new PDO("mysql:host=$host;dbname=$dbname", $username, $password, $options);

For me this works fine, it only gives the CN error when I set PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to true.
This is with a self-signed certificate for a MariaDB server. I tried a couple of different variations but can't trigger anything. Looking at the mysqlnd & streams logic I also don't see how it's possible to trigger this.
It's likely something more complex is at play here.
I need more information to help out here: please provide a reproduction script or point out what is wrong in mine, try disabling opcache & third party extensions, check with latest 8.2.