php mysql ssl 连接,PHP到MySQL SSL连接

I have successfully setup an SSL enabled install of MySQL on one server on one network and can connect to it using SSL with the Linux command line mysql client on a different server on a different network, however every time I try to connect (using PHP 5.3.3) I keep getting:

Warning: mysqli_real_connect(): (HY000/2026): SSL connection error in /var/www/html/test.php on line 18

My PHP is as follows have I done something wrong? The certs are 777 (only while testing) and the same code works for a different user's un-encrypted connection (with the SSL setting commented out i.e. mysqli can definitely connect generally to the DB)

error_reporting(E_ALL);

ini_set("display_errors", "1");

$obj = mysqli_init();

mysqli_options($obj, MYSQLI_OPT_CONNECT_TIMEOUT, 5);

mysqli_ssl_set($obj,

'/mysql-ssl-certs/server-key.pem',

'/mysql-ssl-certs/server-cert.pem',

'/mysql-ssl-certs/ca-cert.pem',

NULL,

NULL);

$link = mysqli_real_connect($obj, 'localhost', 'ssluser', 'some_password', 'test');

if (!$link)

{

die('
Connect Error (' . mysqli_connect_errno() . ') '.mysqli_connect_error());

}

echo 'Success... ' . mysqli_get_host_info($obj) . "\n";

$obj->close();

?>

解决方案

Here PHP (and mysqli_real_connect) is the client not the server. You're configuring it with mysqli_ssl_set for client-certificate authentication (and using the server key and certificate).

I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:

ssl-key=/mysql-ssl-certs/server-key.pem

ssl-cert=/mysql-ssl-certs/server-cert.pem

ssl-ca=/mysql-ssl-certs/ca-cert.pem

These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).

Once you've done this, you can try to see if the server is configured properly using the command line client:

mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...

or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)

mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...

This should work at least on the command line.

Then, from PHP, you get two options:

use mysqli_ssl_set like you've done, but leaving $key and $cert null, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.)

possibly easier, omit mysqli_ssl_set altogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly /etc/mysql/my.cnf, but this may vary depending on your distribution):

[client]

ssl-ca=/mysql-ssl-certs/ca-cert.pem

(This is similar to the server config, but on the client side/in the client section.)

For the authorization part (GRANT):

REQUIRE SSL only requires the use of SSL/TLS

REQUIRE ISSUER, REQUIRE SUBJECT and REQUIRE X509 require the client to present a client-certificate to compare to the required values (that's the case where you'd need to use ssl-key and ssl-cert on the client side (config or within mysqli_ssl_set).