Send a blank email to [email protected] to get a copy of this message
Thanks, I already saw that from the documentation. I wanted to know what is validation in this
context? Complete verification of the cert, or only CN verification.
Looking at the source it appears this flag disables both, in the underlying php/openssl, plus does
something with ALLOW_SELF_SIGNED.
My problem now is:
1. Modify the C source code for mysqli to allow setting only the underlying php/openssl
VERIFY_NAME only
2. Find a way to call the underlying PHP code outside mysqli using the return value from
DB:connect, or the passed in $dsn. The functions are accessible, but I need to pass a context, and
I don’t think $dsn gives me access to the context. It maybe too late in the sequence of events to
change any of that. I was thinking of doing a context get, and a context set, i
John Wythe
Software & Systems Engineer
Epicor Software Corporation
www.epicor.com<http://www.epicor.com/>
Ph: 250-260-6495
E-Mail: [email protected]
From: Aziz Saleh <[email protected]>
Sent: Wednesday, March 22, 2023 7:36 PM
To: John Wythe <[email protected]>
Cc: [email protected]
Subject: Re: [PHP-DB] what does the mysqli real connect MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
flag do? How to disable only CN validation?
ATTENTION
This email originated outside of Epicor. Please exercise caution when clicking links, opening
attachments, or responding to this email.
That flag uses SSL encryption but disables validation of the provided SSL certificate. This is only
for installations using MySQL Native Driver and MySQL 5.6 or later.
On Wed, Mar 22, 2023 at 4:50 PM John Wythe <[email protected]<mailto:[email protected]>> wrote:
mysqli_real_connect has a parameter called flags than can be passed to it. One of the flags in
MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT.
What does this flag do? Does it only disable the CN validation, or does it also disable the
certificate validation against a CA authority.
SSL_CONEXT talks about options
peer_name
peer_verify
peer_verify_name
I would like to use these to at least disable only the verify_name part, or maybe even set the
peer_name and have both validations turned on.
Seems this context function is only available for streams and not mysqli.
Openssl seems to have the ability to do this, however it does not appear to be exposed via mysqli.
I am guessing the flag above equates to peer verify and not peer_verify_name, or equates to both.
I suppose I could download the source for php_pmysqli, and have a look, would that be the correct
package to look at?
John Wythe
Software & Systems Engineer
Epicor Software Corporation
www.epicor.com<http://www.epicor.com/>
Ph: 250-260-6495
TF Support: 800-678-7423
E-Mail: [email protected]<mailto:[email protected]>
Support E-Mail: [email protected]<mailto:[email protected]>
Support portal: https://epicorcs.service-now.com/epiccare/
<http://www.epicor.com/services/default.aspx>
<http://www.epicor.com/services/default.aspx>