2

I've seen a behaviour that I can't explain myself, so I hope anyone could help me understanding what is happening.

Setup

I'm using PHP 7.4 on Debian to connect to a Percona 8 (8.0.20-11) Server (also Debian) remotely, where OpenSSL 1.1.1d is installed.

Here's what I've done so far:

  1. Create self-signed SSL certificates as described here: https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html
# Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem -subj "/CN=percona-certificate"

# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem -subj "/CN=percona-certificate"
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Note: The subjects are identical on both CA and Server certificate.

  1. Use the SSL certificates in Percona. This works without errors except a warning:

    Server SSL certificate doesn't verify: self signed certificate
CA certificate ... is self signed.

  2. Copy SSL certificates to the other server and use the following PHP script to connect:

    $db_config = [
    'host'       => '123.123.123.123',
    'port'       => '3306',
    'dbname'     => 'dbname',
    'username'   => 'username',
    'password'   => 'password',
    'ssl_ca'     => '/cert-path/ca.pem',
    'ssl_cert'   => '/cert-path/server-cert.pem',
    'ssl_key'    => '/cert-path/server-key.pem',
    'ssl_verify' => false
];
$pdo = new PDO(
    'mysql:host=' . $db_config['host'] . ';port=' . $db_config['port'] . ';dbname=' . $db_config['dbname'],
    $db_config['username'],
    $db_config['password'],
    [
        PDO::MYSQL_ATTR_INIT_COMMAND           => 'SET NAMES utf8',
        PDO::ATTR_TIMEOUT                      => 1,
        PDO::ATTR_ERRMODE                      => PDO::ERRMODE_EXCEPTION,
        PDO::MYSQL_ATTR_SSL_CA                 => $db_config['ssl_ca'],
        PDO::MYSQL_ATTR_SSL_CERT               => $db_config['ssl_cert'],
        PDO::MYSQL_ATTR_SSL_KEY                => $db_config['ssl_key'],
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => $db_config['ssl_verify']
    ]
);
$query = $pdo->query('SELECT COUNT(*) FROM mytable');

Behaviour

Although Percona seems to start without problems, I can't connect to the Percona server via PHP:
SQLSTATE[HY000] [2006] MySQL server has gone away

What confuses me at most ist the fact that when I am changing the subjects of the certificates so that they are not identical, it works like a charm. The query returns the number of rows in the table as expected.

My Questions

Could anyone explain to me what's happening here?
Why is Percona starting up but does not accept connections from remote with certificates having the identical subjects?
Why does it work with different subjects?
If there is a validation done by OpenSSL, why does it not ignore identical subjects as the CA certificate is self signed anyway?

Code.Working
  • 81
  • 3

0 Answers0