[英]PHP 5.6, MySQL, SSL and self-signed certificates
Having upgraded to PHP 5.6 lately I have encountered some problems with secure connections to MySQL. 最近升级到PHP 5.6时,我遇到了与MySQL的安全连接的一些问题。 This concerns MySQLi as well as PDO.
这关系到MySQLi和PDO。
Here are my settings: 这是我的设置:
MySQLi: MySQLi:
$db->ssl_set('/etc/mysql/certs/client-key.pem', '/etc/mysql/certs/client-cert.pem', '/etc/mysql/certs/ca-cert.pem', NULL, NULL);
PDO: PDO:
array(
PDO::MYSQL_ATTR_SSL_KEY => '/path/to/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/path/to/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca-cert.pem'
)
First, I get the error "dh key too small". 首先,出现错误“ dh键太小”。
Second, I get the error "certificate verify failed". 其次,我收到错误“证书验证失败”。
I'm using a self-signed certificate which was generated with openssl according to this tutorial . 我正在使用根据本教程使用openssl生成的自签名证书。
After doing some research I found the answers to my problems: 经过研究后,我找到了解决问题的答案:
Due to logjam the DH key size now has to be larger than 768 bits while MySQL's default size is 512 bits. 由于logjam,DH密钥大小现在必须大于768位,而MySQL的默认大小为512位。 (Note: this will be fixed in MySQL 5.7 ).
(注意:这将在MySQL 5.7中修复)。 You have to provide an appropiate cipher in your connection, eg CAMELLIA128-SHA.
您必须在连接中提供适当的密码,例如CAMELLIA128-SHA。
$db->ssl_set('/etc/mysql/certs/client-key.pem', '/etc/mysql/certs/client-cert.pem', '/etc/mysql/certs/ca-cert.pem', NULL, 'CAMELLIA128-SHA');
array(
PDO::MYSQL_ATTR_SSL_KEY => '/path/to/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/path/to/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca-cert.pem',
PDO::MYSQL_ATTR_SSL_CIPHER => 'CAMELLIA128-SHA'
)
When generating your certificates you have to use the right "Common Name" for each one: 生成证书时,必须为每个证书使用正确的“通用名称”:
CA: hostname
Server: FQDN, e.g. hostname.example.com
Client: somename
The important part is the server certificate where the Common Name has to be the same as the host you are connecting to, eg hostname.example.com. 重要的部分是服务器证书 ,其中“通用名”必须与您要连接的主机相同,例如hostname.example.com。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.