PHP 到 MySQL SSL 连接 [英] PHP to MySQL SSL Connections
问题描述
我已经成功地在一个网络上的一台服务器上设置了启用 SSL 的 MySQL 安装,并且可以使用 SSL 与 Linux 命令行 mysql 客户端在不同网络的另一台服务器上连接到它,但是每次我尝试连接时(使用 PHP 5.3.3)我不断得到:
I have successfully setup an SSL enabled install of MySQL on one server on one network and can connect to it using SSL with the Linux command line mysql client on a different server on a different network, however every time I try to connect (using PHP 5.3.3) I keep getting:
警告:mysqli_real_connect():(HY000/2026):第 18 行/var/www/html/test.php 中的 SSL 连接错误
Warning: mysqli_real_connect(): (HY000/2026): SSL connection error in /var/www/html/test.php on line 18
我的PHP如下是我做错了吗?证书为 777(仅在测试时)并且相同的代码适用于不同用户的未加密连接(SSL 设置被注释掉,即 mysqli
绝对可以正常连接到数据库)
My PHP is as follows have I done something wrong? The certs are 777 (only while testing) and the same code works for a different user's un-encrypted connection (with the SSL setting commented out i.e. mysqli
can definitely connect generally to the DB)
<?php
error_reporting(E_ALL);
ini_set("display_errors", "1");
$obj = mysqli_init();
mysqli_options($obj, MYSQLI_OPT_CONNECT_TIMEOUT, 5);
mysqli_ssl_set($obj,
'/mysql-ssl-certs/server-key.pem',
'/mysql-ssl-certs/server-cert.pem',
'/mysql-ssl-certs/ca-cert.pem',
NULL,
NULL);
$link = mysqli_real_connect($obj, 'localhost', 'ssluser', 'some_password', 'test');
if (!$link)
{
die('<br /><br />Connect Error (' . mysqli_connect_errno() . ') '.mysqli_connect_error());
}
echo 'Success... ' . mysqli_get_host_info($obj) . "
";
$obj->close();
?>
推荐答案
这里 PHP(和 mysqli_real_connect
)是客户端而不是服务器.您正在使用 mysqli_ssl_set
配置它以进行客户端证书身份验证(并使用服务器密钥和证书).
Here PHP (and mysqli_real_connect
) is the client not the server. You're configuring it with mysqli_ssl_set
for client-certificate authentication (and using the server key and certificate).
我不确定您是如何配置 MySQL 服务器的,但配置的 (MySQL) 服务器部分中应该有类似的内容:
I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:
ssl-key=/mysql-ssl-certs/server-key.pem
ssl-cert=/mysql-ssl-certs/server-cert.pem
ssl-ca=/mysql-ssl-certs/ca-cert.pem
无论如何,这些都不属于客户端(只有 CA 证书,但绝对不是服务器的私钥).
These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).
完成此操作后,您可以尝试使用命令行客户端查看服务器是否配置正确:
Once you've done this, you can try to see if the server is configured properly using the command line client:
mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
或者这个(虽然验证服务器证书应该真正启用才能使 SSL/TLS 有用)
or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)
mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
这至少应该在命令行上工作.
This should work at least on the command line.
然后,从 PHP 中,您有两个选择:
Then, from PHP, you get two options:
- 像您一样使用
mysqli_ssl_set
,但将$key
和$cert
留空,除非您想使用客户端证书这确实应该与您的服务器证书不同.(我不记得这是否有效.) 可能更简单,完全省略
mysqli_ssl_set
并在全局 MySQL 客户端配置文件中配置它(PHP 应该能够获取它,可能/etc/mysql/my.cnf
,但这可能会因您的发行版而异):
- use
mysqli_ssl_set
like you've done, but leaving$key
and$cert
null, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.) possibly easier, omit
mysqli_ssl_set
altogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly/etc/mysql/my.cnf
, but this may vary depending on your distribution):
[client]
ssl-ca=/mysql-ssl-certs/ca-cert.pem
(这类似于服务器配置,但在客户端/在客户端部分.)
(This is similar to the server config, but on the client side/in the client section.)
对于授权部分(GRANT
):
REQUIRE SSL
只需要使用 SSL/TLSREQUIRE ISSUER
、REQUIRE SUBJECT
和REQUIRE X509
要求客户端提供客户端证书以与所需值进行比较(即您需要在客户端(配置或在mysqli_ssl_set
内)使用ssl-key
和ssl-cert
的情况.
REQUIRE SSL
only requires the use of SSL/TLSREQUIRE ISSUER
,REQUIRE SUBJECT
andREQUIRE X509
require the client to present a client-certificate to compare to the required values (that's the case where you'd need to usessl-key
andssl-cert
on the client side (config or withinmysqli_ssl_set
).
这篇关于PHP 到 MySQL SSL 连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!