2

I use MySQL 5.7.17 on AWS RDS.

I encountered a strange behavior and I am looking for an explanation. In short: I try to connect over SSL, with settings that I think should cause the connection to FAIL, but it succeeds!

The following PHP code succeeds to connect to the RDS instance over SSL:

<?
$HOST = "something.amazonaws.com";
$USER = "myuser";
$PASS = "mypass";

$connectionString = "mysql:host={$HOST};charset=utf8";
$options = [ ];
$options[PDO::MYSQL_ATTR_SSL_CA] = "LITERALLY THIS TEXT. DEFINITELY NOT A CERTIFICATE!";
$options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = false;

$conn = new \PDO($connectionString, $USER, $PASS, $options);
$sql = "SHOW STATUS LIKE 'Ssl_cipher'";
$stmt = $conn->prepare($sql);
$stmt->execute([ ]);
$stmt->setFetchMode(\PDO::FETCH_ASSOC);
$rows = $stmt->fetchAll();
print_r($rows);

The result I get:

Array
(
    [0] => Array
        (
            [Variable_name] => Ssl_cipher
            [Value] => AES256-SHA
        )

)

Also, I found three pem files in /etc/ca-certificates/rds-mysql. I thought that PHP might be going there for some reason, so I deleted them, but the SSL connection still succeeds.

Note: if I delete the line that says $options[PDO::MYSQL_ATTR_SSL_CA] = "LITERALLY THIS TEXT. DEFINITELY NOT A CERTIFICATE!"; - it does NOT connect over SSL. So it appears that this option does have some impact.

My question is: how come it succeeds?

tadman
  • 208,517
  • 23
  • 234
  • 262
obe
  • 7,378
  • 5
  • 31
  • 40
  • 2
    You're passing in junk but you're also saying "don't bother to verify". Have you tried with verification enabled? – tadman Jan 31 '20 at 18:47
  • @tadman it doesn't work with MYSQL_ATTR_SSL_VERIFY_SERVER_CERT turned on, but this is the client-side validation, right? Isn't there supposed to be some validation done by the server as well? – obe Jan 31 '20 at 18:55
  • Have you checked that the server is set to verify? – tadman Jan 31 '20 at 18:57
  • I haven't checked. I wasn't aware that it was configurable. Do you know which option controls it? – obe Jan 31 '20 at 19:02
  • https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_require_secure_transport – Bill Karwin Jan 31 '20 at 19:05
  • https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html#mandatory-encrypted-connections – Bill Karwin Jan 31 '20 at 19:05
  • @BillKarwin thanks. These links seem to be about forcing SSL connection. The question is about validating certificates when an SSL connection is attempted... – obe Jan 31 '20 at 19:12
  • Unless the server requires SSL, it will allow a client to connect without SSL. – Bill Karwin Jan 31 '20 at 19:26
  • @BillKarwin this is not the issue. The issue is that the client connects WITH SSL and I'm trying to understand if MySQL can *reject* the connection if the client doesn't have the appropriate certificates... – obe Jan 31 '20 at 19:28

0 Answers0