5

I'm familiar with the public/private key negotiation implemented in HTTPS, which is why I am confused by the following driver options that are apparently available (though not officially documented) for PDO's MySQL driver:

PDO::MYSQL_ATTR_SSL_KEY
PDO::MYSQL_ATTR_SSL_CERT
PDO::MYSQL_ATTR_SSL_CA

The link suggests they point to files stored locally - yet why would a copy of anything besides the CA certificate be stored on the client? Has anyone successfully made an encrypted connection using this method?

tjbp
  • 3,427
  • 3
  • 24
  • 35

1 Answers1

3

This pertains to client certificates that the client must have in order to be able to connect to the server, i.e. that the client must verify its identity (yes, SSL can work the other way around as well). Start by reading the general section Using SSL for Secure Connections, then see the REQUIRE clauses in the GRANT syntax:

  • REQUIRE X509 means that the client must have a valid certificate but that the exact certificate, issuer, and subject do not matter. The only requirement is that it should be possible to verify its signature with one of the CA certificates.

  • REQUIRE ISSUER 'issuer' places the restriction on connection attempts that the client must present a valid X509 certificate issued by CA 'issuer'. If the client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X509 certificates always implies encryption, so the SSL option is unnecessary in this case.

  • ...

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889