What's the difference between MYSQLI_CLIENT_SSL and MYSQLI_OPT_SSL_VERIFY_SERVER_CERT?

问题

This is how I usually connect to a MySQL database using SSL:

$db = mysqli_init();
mysqli_ssl_set(
    $db,
    NULL,
    NULL,
    '/etc/ssl/my-certs/ssl-ca.crt.pem',
    NULL,
    NULL
);
mysqli_real_connect(
    $db,
    'db.example.com',
    'john',
    '123456',
    NULL,
    NULL,
    NULL,
    MYSQLI_CLIENT_SSL
);

From what I understand, the MYSQLI_CLIENT_SSL flag is necessary to make mysqli::real_connect connect to the server using SSL.

Today I stumbled upon the documentation for mysqli::options, and noticed that it accepts MYSQLI_OPT_SSL_VERIFY_SERVER_CERT as an option, but, alas, its description is blank. So, I wonder:

1. When do I need to add mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);?
2. When do I need to use the MYSQLI_CLIENT_SSL flag?
3. When will I need to set both of them?

回答1:

1. MYSQLI_OPT_SSL_VERIFY_SERVER_CERT (true) used when you want to verify server certificate against well known authorities to ensure that this is connection to trusted host. Do not use it if you have self-signed certificate on server.

2. MYSQLI_CLIENT_SSL must be always used when you need to encrypt connection.

3. When you have on mysql-server certificate provided by authorities and want encryption + MITM-attack protection use both MYSQLI_OPT_SSL_VERIFY_SERVER_CERT and MYSQLI_CLIENT_SSL.

来源：https://stackoverflow.com/questions/54061930/whats-the-difference-between-mysqli-client-ssl-and-mysqli-opt-ssl-verify-server