问题
I have a strange issue when moving my project from PHP 5.6 to PHP 7, I have a database class which allows you to set an SSL connection to the database after calling mysqli_init(); and before calling mysqli_real_connect().
I have been developing this on PHP 5.6 and have successfully created a SSL connection to a remote server and all working great, the remote database server does NOT use a self signed certificate.
In the setSSL method of my db class I have this:
if($verify) { $this->mysqli->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true); }
$this->mysqli->ssl_set($key, $cert, $ca, $capath, $ciphers);
The method sets $verify to a default setting of true and left as is, the certificate bundle is passed through the variable $ca.
This has been working great on PHP 5.6 and doing exactly what it should be and confirmed that the connection is indeed using an SSL connection.
On the same server I created a sub domain and set it to use PHP 7 (I hear performance is much better and my code is PHP 7 friendly).
I done a complete copy of my code on the new sub domain and everything works fine, except for the remote SSL mysqli connection.
I have checked the removed features in PHP 7 and many other things but can't find out why this is happening.
Extracts from logs:
[Msg: mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]
[Msg: mysqli::real_connect(): Cannot connect to MySQL by using SSL]
[Msg: mysqli::real_connect(): [2002] (trying to connect via tcp://******.co.uk:3306)]
On another note, this is the same error produced when I was first developing this feature on PHP 5.6 if I didn't pass the ca certificate bundles over.
回答1:
I am 99% sure this is because you are using a chained certificate (which is common) and MySQL currently does not support chained certificates (which is annoying).
You normally do not load the intermediate certificate into the client certificate pool, as this is lowering security and a very common mistake many webserver owners do. But as there is no other solution concerning MySQL, you might want to do just that.
So as a workaround, try loading the CA and all intermediate certs into your certificate pool of PHP - keeping in mind this is bad practice.
Update:
I think the bug got resolved long ago but MySQL Team didn't update their ticket, ... depending which ssl library is baked into your MySQL (usually openssl) it should already work.
Read here how to concatenate and build a proper certificate chain: How to chain a SSL certificate
来源:https://stackoverflow.com/questions/40220854/mysqli-ssl-connection-stops-working-after-php-7-upgrade