Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108586 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 82345 invoked from network); 14 Feb 2020 19:32:03 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 14 Feb 2020 19:32:03 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 82EBC1805A6 for ; Fri, 14 Feb 2020 09:46:45 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 14 Feb 2020 09:46:44 -0800 (PST) Received: by mail-wm1-f44.google.com with SMTP id a5so10814884wmb.0 for ; Fri, 14 Feb 2020 09:46:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=BxNxPV4o4jaXoDg65uXSMwta59JjXiEPwQG7F6suSX0=; b=tmy9A1fzE5qJaxaAOMeJhav7GIL8btty4JyChaM5cRccDY0T0LSosjEqg2qC30Y52w IoTdC6LLDv6D53wh8V340OJPgkQIKqQuzEk38VhLwme2nQTPQ4X6sZ6HQgaP3S6j0N6k 8X5qvSG+JcRqABXIDqKkmxUktyIr2NdwxETVxAj9d+2IjZVj7Fry2yGvvGF0mRhWOLF0 ZSOhevKz/LHQ/VhPbmLpZW8ouxh3BeIEP/r2tSy4YO8ND/6uCjj7sYeSNMpiw0EgoL8A 8pb+rjlQSJRTdbr/RjWH0W0+2Uc4yU3wn/bYOLbkHn3WZTIUwfjLrXK/6TCszkJMQrYf PmRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BxNxPV4o4jaXoDg65uXSMwta59JjXiEPwQG7F6suSX0=; b=KOEOZaTId2BM6cPyG6w7Fcx5YKfCpnJLpJct8R5jIBvFEFYhb8qCB7nAlVKiDdFz// qkuJtilXTY9LyvXI7ujQJSE/CxebzZKE6yUjeq38cSowT1TwmYbtVduN3UvnFQPlisQC 0llc++C1Jv+JzcMCF7kH1T8SaZv1wGyS+89S6ty6exhe1ZmVunUFi9xzop3gLo1l2m0w 5wrqKwoNYwetkJTLV9wZUvZPYhSALjRZ5MUYA8oBvQ6qnvvTsNFGykW3E/kR0vdj3qTn MLGl8mN4XO4Z+SrlGjXIsYlkp/q4L2HqMqaKJFDjW5R238OqFoQj4WchIZhL78IIYa0m rt6A== X-Gm-Message-State: APjAAAWacsNpAReFN0lvq081BhzPh2G5sBB2HgQRVoaEDxh2dGh5kS2P 9/eMDowQt13Bp39FCSeQIO8UZ7zAdji7kafJRWiRrpB+ X-Google-Smtp-Source: APXvYqzqnlMueD8kVYOcpi3dKVMczTBCiVQxvh4X+mNq8AXZKtS4qkhBs/mV67IGx90NEA1JlRBVdqGltB73ahrj+d4= X-Received: by 2002:a1c:20d6:: with SMTP id g205mr5996965wmg.38.1581702402509; Fri, 14 Feb 2020 09:46:42 -0800 (PST) MIME-Version: 1.0 Date: Fri, 14 Feb 2020 09:46:31 -0800 Message-ID: To: internals Content-Type: multipart/alternative; boundary="000000000000d78e5a059e8cc9cd" Subject: Problems with mysqli code and documentation From: zardozrocks@gmail.com (j adams) --000000000000d78e5a059e8cc9cd Content-Type: text/plain; charset="UTF-8" I had considerable difficulty getting mysqli_connect to use SSL/TSL to connect to a db and I think some things need to be improved. I apologize for also describing documentation issues here, but I'll describe the coding issues first. I may need some help to prompt the documentation team to remedy some issues. It is my feeling that PHP's credibility as a viable modern language depends in large part on reliable and well-documented encryption functionality to satisfy security best practices for vital database connectivity. PHP's documentation has been one of its great assets over the years and I hope to see that great tradition continued robustly. CONTEXT An email from Amazon informed me they are upgrading the certificates for their Relational Database Servers (RDS). This prompted me to try and connect from PHP to an RDS MySQL server using SSL/TSL. The experience was difficult and unhappy. It's tricky mostly because the documentation on mysqli features relating to SSL/TLS is poor, but also because the underlying PHP code doesn't make use of a variable (or more?) in the underlying source code. CODING/DEV ISSUES 1) As pointed out here , the constant MYSQLI_OPT_SSL_VERIFY_SERVER_CERT is defined in PHP but apparently doesn't do anything at all. A decision needs to be made about whether to remove this constant or to somehow reconcile its relation to the constant MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT. The former constant is supplied to the function mysqli_options and does absolutely nothing, the latter is a flag to the function mysqli_real_connect and does appear to prevent validation of the server's SSL/TLS certificate during handshaking. There may be other orphaned variables that are not used, I don't know. 2) If one specifies "localhost" as the host when trying to mysqli_connect using SSL/TLS, then the connection will fail with these warnings: PHP Warning: mysqli_real_connect(): this stream does not support SSL/crypto in /path/to/file.php on line XX PHP Warning: mysqli_real_connect(): Cannot connect to MySQL by using SSL in /path/to/file.php on line XX PHP Warning: mysqli_real_connect(): [2002] (trying to connect via (null)) in /path/to/file.php on line XX PHP Warning: mysqli_real_connect(): (HY000/2002): in /path/to/file.php on line XX That's four warnings and a highly cryptic problem which is not easily diagnosed because there is no documentation or user comments to clarify the issue. Using 127.0.0.1 instead of localhost seems to remedy the problem for some reason surely related to transport, but it would certainly be preferable if the PHP code was smart enough to recognize the situation enough to provide a single, more meaningful warning. DOCUMENTATION (AND POSSIBLY CODING) ISSUES A) mysqli_ssl_set has no usage examples and the parameter descriptions border on useless. For example: key The path name to the key file. cert The path name to the certificate file. ca The path name to the certificate authority file. No mention is made of format. No effort is made to describe whether these are client keys/certs or server keys/certs. Is this a private key or public key? I admit my knowledge of the relation between certificates and the certificate authority file is a little fuzzy, but I'm hardly a novice programmer and feel this documentation leaves a lot to be desired. Most of the coding examples I find using this function set only the ca, leaving the majority of the numerous other parameters empty. The documentation does not describe what happens when these values are NULL or what happens of the specified file paths don't exist. It doesn't describe what string values are permissible -- which is especially disconcerting for the cipher parameter, which surely admits only certain constants? For some reason this function always returns a TRUE value, and does not throw any exceptions (e.g., if the files don't exist). What doe these parameters do? What does this function do? B) documentation for mysqli_real_connect does not sufficiently describe how it differs from mysqli_connect. E.g., it doesn't mention that mysqli_real_connect is helpful in lieu of mysqli_connect if you must set options like connect timeouts, etc. It does not provide any examples that use the flags parameter. Why do we have these two distinct functions? Is there some way to use mysqli_ssl_set with mysqli_connect? Or must one always use mysqli_real_connect? In digging further into the MySQLi documentation, I see that there is a lot of helpful detail on the Quick Start articles, and would suggest that the level of detail in Quick Start should be the bare minimum, with the details being moved into the documentation of the functions themselves. C) The mysqli_options page lists MYSQLI_OPT_SSL_VERIFY_SERVER_CERT but does not describe anything about it. As mentioned above, this constant does nothing and should probably be removed. This page also does not have a link to to the MySQLi predefined constants page for additional detail. I hope I haven't offended anyone with this message. I love PHP and want to see it be the best development language there is. --000000000000d78e5a059e8cc9cd--