问题描述
这通常是我使用SSL连接到MySQL数据库的方式:
$db = mysqli_init();
mysqli_ssl_set(
$db,
NULL,
NULL,
'/etc/ssl/my-certs/ssl-ca.crt.pem',
NULL,
NULL
);
mysqli_real_connect(
$db,
'db.example.com',
'john',
'123456',
NULL,
NULL,
NULL,
MYSQLI_CLIENT_SSL
);
在阅读 mysqli::options 的PHP文档时,我注意到MYSQLI_OPT_SSL_VERIFY_SERVER_CERT选项的存在,我认为这是使MySQLi验证服务器证书的选项.不幸的是,文档中没有MYSQLI_OPT_SSL_VERIFY_SERVER_CERT的描述.这个选项的存在使我想知道我是否已经不安全地连接到MySQL.现在我想知道是否安全地连接到MySQL的正确方法是这样的:
$db = mysqli_init();
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true); // <- Attention.
mysqli_ssl_set(
$db,
NULL,
NULL,
'/etc/ssl/my-certs/ssl-ca.crt.pem',
NULL,
NULL
);
mysqli_real_connect(
$db,
'db.example.com',
'john',
'123456',
NULL,
NULL,
NULL,
MYSQLI_CLIENT_SSL
);
所以,我的问题是:
- 默认情况下
MYSQLI_OPT_SSL_VERIFY_SERVER_CERT是否设置为true? -
MYSQLI_OPT_SSL_VERIFY_SERVER_CERT的作用是什么? (请引用) - 使用MySQLi连接到远程MySQL数据库的正确(安全)方法是什么?
(注意:这是关于)
请求的答案
事实是,MYSQLI_OPT_SSL_VERIFY_SERVER_CERT 没有任何作用.它是一个未使用的常量.我只是通过扫描源代码进行验证. /p>
因此,您的问题仍然存在:默认情况下,MySQLi连接是否检查服务器证书?
简短答案:是.
长答案:尽管证书与常用的证书颁发机构的列表不匹配,即使在建立连接后仍会验证提供的CA(即使是自签名的),以减轻 MITM攻击.
从工程角度回答
当连接到MySQL服务器时,我根本不建议使用SSL连接,因为它们会增加一些缺点(加密,带宽,解密,增加的内存使用量,增加的总体往返时间).如果服务器必须根据设计在本地网络外部(在这种情况下,设计似乎是错误的),那么更好的方法是在受信任的本地网络内进行连接,或者使用某种类型的经过身份验证的SOAP接口来检索和操作数据. >
This is how I usually connect to a MySQL database using SSL:
$db = mysqli_init();
mysqli_ssl_set(
$db,
NULL,
NULL,
'/etc/ssl/my-certs/ssl-ca.crt.pem',
NULL,
NULL
);
mysqli_real_connect(
$db,
'db.example.com',
'john',
'123456',
NULL,
NULL,
NULL,
MYSQLI_CLIENT_SSL
);
When reading the PHP documentation for mysqli::options, I noticed the existence of the MYSQLI_OPT_SSL_VERIFY_SERVER_CERT option, which I assume is an option to make MySQLi verify the server certificate. Unfortunately, there is no description of MYSQLI_OPT_SSL_VERIFY_SERVER_CERT in the documentation. The existence of this option makes me wonder if I have been connecting to MySQL insecurely. Now I'm wondering if the proper way to connect to MySQL securely is like this:
$db = mysqli_init();
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true); // <- Attention.
mysqli_ssl_set(
$db,
NULL,
NULL,
'/etc/ssl/my-certs/ssl-ca.crt.pem',
NULL,
NULL
);
mysqli_real_connect(
$db,
'db.example.com',
'john',
'123456',
NULL,
NULL,
NULL,
MYSQLI_CLIENT_SSL
);
So, my questions are:
- Is
MYSQLI_OPT_SSL_VERIFY_SERVER_CERTset totrueby default? - What does
MYSQLI_OPT_SSL_VERIFY_SERVER_CERTdo? (citations please) - What is the proper (secure) way to connect to a remote MySQL database using MySQLi?
(Note: this is a follow-up question on What's the difference between MYSQLI_CLIENT_SSL and MYSQLI_OPT_SSL_VERIFY_SERVER_CERT?)
Requested answer
The truth is, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT has no effect.It is an unused constant. I just verified this by scanning the source code.
So, your question remains: Are MySQLi connections checking server certificates by default?
Short answer: Yes, they are.
Long answer: Although certificates are not matched against a list of commonly trusted Certificate Authorities, the provided CA (even if self-signed) is still verified on connection establishment to mitigate MITM-attacks.
Answer from engineering perspective
When connecting to a MySQL server, I would not recommend using SSL connections at all, as they add several layers of disadvantages (encryption, bandwidth, decryption, increased memory usage, increased overall roundtrip time). A much better approach is to connect within a trusted local network or use some type of well authenticated SOAP interface to retrieve and manipulate data if the server must be outside a local network by design (in which case the design just seems wrong).
这篇关于使用SSL时,MySQLi默认会验证服务器证书吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!