Is there a way to access a MySQL database over the network from PHP and be confident that
- the connection is actually using SSL, and
- the server's X.509 certificate was successfully verified?
As far as i can tell, when using the stock MySQL bindings, setting MYSQL_CLIENT_SSL is purely advisory (i.e. it won't fail if the server doesn't advertise SSL support). This means it won't defend against an active network attacker performing the equivalent of sslstrip.
Even if MYSQL_CLIENT_SSL was stronger than an advisory flag, i can't
seem to come up with a way to tell PHP's basic MySQL bindings the
equivalent of the --ssl-ca
flag
to the mysql client binary. Without being able to configure this, a
"man-in-the-middle" should be able to intercept the connection by
offering their own certificate on their endpoint, and otherwise relaying
the traffic. A client that does not verify the server's identity would
be none the wiser.
One option to avoid a MITM attack would be for the server to require
client-side certs via the REQUIRE option for a GRANT
statement,
but the basic MySQL bindings for php don't seem to support that either.
PHP's mysqli bindings
(MySQL Improved, i think) feature a command called
ssl_set() which appears
to allow client-side certificate support. But its documentation isn't
clear on how it handles an invalid/expired/revoked server certificate
(let alone a server that announces that it doesn't support SSL), and it
also mentions:
This function does nothing unless OpenSSL support is enabled.
Given that debian MySQL packages don't use OpenSSL because of licensing incompatibilities with the GPL, i'm left wondering if packages built against yaSSL support this feature. And i'm more than a little bit leery that i have no way of telling whether my configuration request succeeded, or whether this function just happily did nothing because the interpreter got re-built with the wrong flags. Shouldn't the function fail explicitly if it cannot meet the user's request?
Meanwhile, the PDO bindings for MySQL apparently don't support SSL connections at all.
What's going on here? Does no one use MySQL over the network via PHP? Given the number of LAMP-driven data centers, this seems pretty unlikely. Do PHP+MySQL users just not care about privacy or integrity of their data?
Or (please let this be the case) have i just somehow missed the obvious documentation?