具有自签名证书的PDO

Question

I'm still tryin to connect with PDO to a remote MySQL database. Customer provide self signed certificates, client-key.pem and client-cert.pem . Certificates are good, I can connect to remote db using mysql client. This is where I instantiate a PDO object to connect to db.

pdoDb = new PDO(
  'mysql:host=customer_host_name;dbname=customer_db_name', 
  'my_username', 
  'my_password', 
  array(
   PDO::MYSQL_ATTR_SSL_KEY=>'C:/Apache24/htdocs/CLIENT/lib/client-key.pem',
   PDO::MYSQL_ATTR_SSL_CERT=>'C:/Apache24/htdocs/CLIENT/lib/client-cert.pem'
  ));

I'm getting this error when I instantiate PDO object:

Warning: PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in C:\Apache24\htdocs\CUSTOMER\lib\database.php on line 17

I think code was correct but I'm newbie to PHP.

Update Pardon me. I forgot to mention that I didn't specify a value for MYSQL_ATTR_SSL_CA because customer doesn't give me one. Sorry. Is MYSQL_ATTR_SSL_CA mandatory to PDO (or mysqli )?

Answer 1

When generating your certificates you have to use the right "Common Name" for each one:

CA: hostname 
Server: FQDN, e.g. hostname.example.com 
Client: somename

The important part is the server certificate where the Common Name has to be the same as the host you are connecting to, eg hostname.example.com.

$pdoDb = new PDO(
  'mysql:host=customer_host_name;dbname=customer_db_name', 
  'my_username', 
  'my_password', 
  array(
    PDO::MYSQL_ATTR_SSL_KEY    => 'C:/Apache24/htdocs/CLIENT/lib/client-key.pem',
    PDO::MYSQL_ATTR_SSL_CERT   => 'C:/Apache24/htdocs/CLIENT/lib/client-cert.pem',
    PDO::MYSQL_ATTR_SSL_CA     => 'C:/Apache24/htdocs/CLIENT/lib/ca-cert.pem',
    PDO::MYSQL_ATTR_SSL_CIPHER => 'CAMELLIA128-SHA'
  )
);