PHP到MySQL SSL连接 [英] PHP to MySQL SSL Connections
问题描述
我已经成功地在一个网络上的一台服务器上安装了启用SSL的MySQL安装,并且可以使用SSL和Linux命令行mysql客户端在不同网络上的另一台服务器上使用SSL连接到它,但是每次尝试连接使用PHP 5.3.3),我不断得到:
I have successfully setup an SSL enabled install of MySQL on one server on one network and can connect to it using SSL with the Linux command line mysql client on a different server on a different network, however every time I try to connect (using PHP 5.3.3) I keep getting:
警告:mysqli_real_connect():(HY000/2026):第18行/var/www/html/test.php中的SSL连接错误
Warning: mysqli_real_connect(): (HY000/2026): SSL connection error in /var/www/html/test.php on line 18
我的PHP如下所示,我做错了什么吗?证书为777(仅在测试时),并且相同的代码适用于其他用户的未加密连接(使用SSL设置已注释掉,即mysqli
可以肯定地通常连接到数据库)
My PHP is as follows have I done something wrong? The certs are 777 (only while testing) and the same code works for a different user's un-encrypted connection (with the SSL setting commented out i.e. mysqli
can definitely connect generally to the DB)
<?php
error_reporting(E_ALL);
ini_set("display_errors", "1");
$obj = mysqli_init();
mysqli_options($obj, MYSQLI_OPT_CONNECT_TIMEOUT, 5);
mysqli_ssl_set($obj,
'/mysql-ssl-certs/server-key.pem',
'/mysql-ssl-certs/server-cert.pem',
'/mysql-ssl-certs/ca-cert.pem',
NULL,
NULL);
$link = mysqli_real_connect($obj, 'localhost', 'ssluser', 'some_password', 'test');
if (!$link)
{
die('<br /><br />Connect Error (' . mysqli_connect_errno() . ') '.mysqli_connect_error());
}
echo 'Success... ' . mysqli_get_host_info($obj) . "\n";
$obj->close();
?>
推荐答案
此处的PHP(和mysqli_real_connect
)是客户端而不是服务器.您正在使用mysqli_ssl_set
对其进行配置,以进行客户端证书身份验证(并使用服务器密钥和证书).
Here PHP (and mysqli_real_connect
) is the client not the server. You're configuring it with mysqli_ssl_set
for client-certificate authentication (and using the server key and certificate).
我不确定您是如何配置MySQL服务器的,但是在配置的(MySQL)服务器部分中应该有类似的内容:
I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:
ssl-key=/mysql-ssl-certs/server-key.pem
ssl-cert=/mysql-ssl-certs/server-cert.pem
ssl-ca=/mysql-ssl-certs/ca-cert.pem
无论如何,这些都不属于客户端(只有CA证书才属于客户端,但绝对不是服务器的私钥).
These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).
完成此操作后,您可以尝试使用命令行客户端查看服务器是否配置正确:
Once you've done this, you can try to see if the server is configured properly using the command line client:
mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
或者也许是这样(尽管应该确实启用验证服务器证书以使SSL/TLS有用)
or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)
mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
这至少应该在命令行上起作用.
This should work at least on the command line.
然后,从PHP中,您有两个选择:
Then, from PHP, you get two options:
- 像以前一样使用
mysqli_ssl_set
,但是将$key
和$cert
保留为空,除非您要使用确实与服务器证书不同的客户端证书. (我不记得这是否有效.) -
可能更容易,完全省略
mysqli_ssl_set
并在全局MySQL客户端配置文件中进行配置(PHP应该可以在其中拾取它,可能是/etc/mysql/my.cnf
,但这取决于您的发行版):
- use
mysqli_ssl_set
like you've done, but leaving$key
and$cert
null, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.) possibly easier, omit
mysqli_ssl_set
altogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly/etc/mysql/my.cnf
, but this may vary depending on your distribution):
[client]
ssl-ca=/mysql-ssl-certs/ca-cert.pem
(这类似于服务器配置,但在客户端/客户端部分).
(This is similar to the server config, but on the client side/in the client section.)
对于授权部分(GRANT
):
-
REQUIRE SSL
仅需要使用SSL/TLS -
REQUIRE ISSUER
,REQUIRE SUBJECT
和REQUIRE X509
要求客户端出示客户端证书以与所需值进行比较(在这种情况下,您需要在客户端上使用ssl-key
和ssl-cert
侧面(配置或在mysqli_ssl_set
中).
REQUIRE SSL
only requires the use of SSL/TLSREQUIRE ISSUER
,REQUIRE SUBJECT
andREQUIRE X509
require the client to present a client-certificate to compare to the required values (that's the case where you'd need to usessl-key
andssl-cert
on the client side (config or withinmysqli_ssl_set
).
这篇关于PHP到MySQL SSL连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!