MySQLi SSL连接在php 7升级后停止工作 [英] MySQLi SSL connection stops working after php 7 upgrade
问题描述
将项目从PHP 5.6迁移到PHP 7时,我遇到一个奇怪的问题,我有一个数据库类,该类允许您在调用mysqli_init();之后和调用mysqli_real_connect()之前设置与数据库的SSL连接.
I have a strange issue when moving my project from PHP 5.6 to PHP 7, I have a database class which allows you to set an SSL connection to the database after calling mysqli_init(); and before calling mysqli_real_connect().
我已经在PHP 5.6上进行了开发,并成功创建了到远程服务器的SSL连接,并且一切正常,远程数据库服务器不使用自签名证书.
I have been developing this on PHP 5.6 and have successfully created a SSL connection to a remote server and all working great, the remote database server does NOT use a self signed certificate.
在我的数据库类的setSSL方法中,我有以下内容:
In the setSSL method of my db class I have this:
if($verify) { $this->mysqli->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true); }
$this->mysqli->ssl_set($key, $cert, $ca, $capath, $ciphers);
该方法将$verify设置为默认设置true,并保持不变,证书束通过变量$ca传递.
The method sets $verify to a default setting of true and left as is, the certificate bundle is passed through the variable $ca.
这在PHP 5.6上一直很好用,并且完全按照应有的方式工作,并确认该连接确实在使用SSL连接.
This has been working great on PHP 5.6 and doing exactly what it should be and confirmed that the connection is indeed using an SSL connection.
在同一台服务器上,我创建了一个子域并将其设置为使用PHP 7(听说性能要好得多,并且我的代码对PHP 7友好).
On the same server I created a sub domain and set it to use PHP 7 (I hear performance is much better and my code is PHP 7 friendly).
我在新的子域上完成了代码的完整副本,除远程SSL mysqli连接外,其他一切正常.
I done a complete copy of my code on the new sub domain and everything works fine, except for the remote SSL mysqli connection.
我已经检查了PHP 7中已删除的功能以及许多其他内容,但无法确定为什么会发生这种情况.
I have checked the removed features in PHP 7 and many other things but can't find out why this is happening.
从日志中提取:
[消息:mysqli :: real_connect():SSL操作失败,代码为1. OpenSSL错误消息:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败]
[Msg: mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]
[消息:mysqli :: real_connect():无法使用SSL连接到MySQL]
[Msg: mysqli::real_connect(): Cannot connect to MySQL by using SSL]
[消息:mysqli :: real_connect():[2002](尝试通过 tcp://******.co.uk:3306)]
[Msg: mysqli::real_connect(): [2002] (trying to connect via tcp://******.co.uk:3306)]
另一方面,如果我没有通过ca证书捆绑包,这与我在PHP 5.6上首次开发此功能时产生的错误相同.
On another note, this is the same error produced when I was first developing this feature on PHP 5.6 if I didn't pass the ca certificate bundles over.
推荐答案
我99%的确定这是因为您使用的是链式证书(这是常见的),而MySQL当前是
I am 99% sure this is because you are using a chained certificate (which is common) and MySQL currently does not support chained certificates (which is annoying).
您通常不要将中间证书加载到客户端证书池中,因为这降低了安全性,并且这是许多Web服务器所有者经常犯的错误. 但是由于没有其他关于MySQL的解决方案,您可能只想做 那个.
You normally do not load the intermediate certificate into the client certificate pool, as this is lowering security and a very common mistake many webserver owners do. But as there is no other solution concerning MySQL, you might want to do just that.
因此,作为一种解决方法,请尝试将CA 和所有中间证书加载到您的PHP证书池中-请记住,这是一种不好的做法.
So as a workaround, try loading the CA and all intermediate certs into your certificate pool of PHP - keeping in mind this is bad practice.
更新:
我认为该错误早已得到解决,但是MySQL团队没有更新他们的票证,...取决于哪个ssl库已嵌入到您的MySQL(通常是openssl)中,它应该已经可以工作了.
I think the bug got resolved long ago but MySQL Team didn't update their ticket, ... depending which ssl library is baked into your MySQL (usually openssl) it should already work.
在此处阅读如何连接和构建适当的证书链:如何链接SSL证书
Read here how to concatenate and build a proper certificate chain: How to chain a SSL certificate
这篇关于MySQLi SSL连接在php 7升级后停止工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
