Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration of SSL/TLS connection options #1458

Open
fabiang opened this issue Jun 20, 2023 · 7 comments
Open

Allow configuration of SSL/TLS connection options #1458

fabiang opened this issue Jun 20, 2023 · 7 comments

Comments

@fabiang
Copy link

fabiang commented Jun 20, 2023

Hello,

based on my old issue #1021, it's quite possible that people are actively lowering their security by allowing older cipher suites, so they just can connect to SQLServers with old certificates. Instead it should be possible to define the ciphers used for the TSL connection to the SQLServer.

PDO_MYSQL already has support for this:

PDO::MYSQL_ATTR_SSL_CA (int)
The file path to the SSL certificate authority.

PDO::MYSQL_ATTR_SSL_CAPATH (int)
The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format.

PDO::MYSQL_ATTR_SSL_CERT (int)
The file path to the SSL certificate.

PDO::MYSQL_ATTR_SSL_CIPHER (int)
A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. For example: DHE-RSA-AES256-SHA:AES128-SHA

PDO::MYSQL_ATTR_SSL_KEY (int)
The file path to the SSL key.

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT (int)
Provides a way to disable verification of the server SSL certificate.

This exists as of PHP 7.0.18 and PHP 7.1.4.

PDO::*_ATTR_SSL_VERIFY_SERVER_CERT is already possible through connection parameter TrustServerCertificate.

So please implement those attributes or as connection parameters.
@fabiang
Copy link
Author

fabiang commented Jun 20, 2023

It looks like that none of the other PDO drivers supports this. Is passing a PHP stream context as parameter/attribute the better option?

@v-makouz
Copy link
Contributor

Can these be specified in the connection string for MySQL server?

@fabiang
Copy link
Author

fabiang commented Jun 21, 2023

Can these be specified in the connection string for MySQL server?

No, only per config and attributes. Idk if mysqlnd has support for the attributes/config.

@v-makouz
Copy link
Contributor

It's unlikely we'd be able to add these settings, since most of them are not part of the driver.
In addition to TrustServerCertificate the is also ServerCertificate that allows one to specify a .pem, but the other attributes seem like the OpenSSL settings that the driver doesn't control. OpenSSL has its own config files, which may allow specifying these values.

@fabiang
Copy link
Author

fabiang commented Jul 6, 2023

So I guess I can close this, since is required to implement this upstream into msodbc?

@HenkPoley
Copy link

HenkPoley commented Jul 12, 2023
edited

@v-makouz , I note that if ServerCertificate => '/path/to/.pem' exists on pdo_sqlsrv, it's not documented here:

https://learn.microsoft.com/en-us/sql/connect/php/connection-options?view=sql-server-ver16

To use it for 'certificate pinning' would be nice.

@v-makouz
Copy link
Contributor

I'll take a look at that doc. I believe that anything in the connection string gets passed by PHP driver to the underlying ODBC Driver, so anything supported by that should work, but I'll double check to make sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabiang @HenkPoley @v-makouz