Message SSL is not being used even if server is not remote

[aommundsen]

Describe the bug

We are running both phpMyAdmin and MariaDB on the same server as the websites. Meaning that MariaDB is not remote, the database connections is done by using "localhost". But still phpMyAdmin display this message in the right column: "Server connection: SSL is not being used"

In phpMyAdmin 4.9.2 the message is in black text color, but in phpMyAdmin 5.1.0-dev it is displayed with red color. It is not fun when customers on shared hosting servers create support tickets and ask about this!

Expected behavior

When the database server is not remote, the message should not be displayed at all in phpMyAdmin.

Server configuration

• Operating system: CentOS 7 and 8
• Web server: Apache 2.4.41
• Database version: MariaDB 10.3.20
• PHP version: 7.2.25
• phpMyAdmin version: 4.9.2 and 5.1.0-dev

Additional context

Please consider to do one of the following so solve this:
1: Remove the message about SSL not being used if the database server is local.
or
2: Give us a configuration setting that we can put in config.inc.php to disable the message, for example something like this:
$cfg['SSLNotBeingUsed_DisableWarning'] = true;

[thk12]

I usually patch this out of index.php because it's really anoying for customers. This warning shouldn't even be displayed when PMA connects through a typical private IP range (like using VPN).

[williamdes]

Okay, a configuration override must be added

[Jaideep-97]

I pushed 2 commits into my forked repo but failed to add signoff as it was my first contribution and hence unable to open PR for this issue. How do I change that?

[williamdes]

You should create a branch on your fork and cherry-pick the changes
After cherry-picking you can do git commit --amend --no-edit --signoff and then push the commit

[Jaideep-97]

Opened a PR for this issue. (#15673 )

[aommundsen]

As phpMyAdmin 4.9.3 and 5.0.0 was released today, but this issue did not make it into those versions when I check the demo page at https://www.phpmyadmin.net/try/

That is really to bad. Because now I don't want to upgrade because in both 4.9.3 and 5.0.0 the text "SSL is not being used" is with RED TEXT COLOR. That is a step bakcward to previous versions wich was on black text color.

I would have hoped you at least could revert the introduction of red text color on that message until the fix for the issue is implemented. But that seems to late now.

Is there any recommended work-around for me to manually remove the text "Server connection: SSL is not being used" from phpMyAdmin 5.0.0 or 4.9.3? If not I can't upgrade. :(

[williamdes]

In phpMyAdmin 4.9.2 the message is in black text color,

https://demo.phpmyadmin.net/QA_4_9/
it is red in 4.9.3, @aommundsen can you post a screenshot ?

@aommundsen I am really sorry that this issue is blocking you, I changed priority so we fix this issue in the next milestone.

phpmyadmin/libraries/classes/Util.php

Lines 3860 to 3864 in 313da61

	if (! $server['ssl']) {
	$message = __('SSL is not being used');
	if (! empty($server['socket']) || $server['host'] == '127.0.0.1' || $server['host'] == 'localhost') {
	$class = '';
	}

Is there any recommended work-around for me to manually remove the text "Server connection: SSL is not being used" from phpMyAdmin 5.0.0 or 4.9.3? If not I can't upgrade. :(

For now I do not know a non hacky work-around to disable it
You set it black by using '127.0.0.1' or 'localhost' or a socket connexion
I will do my best so that issue is sorted out for you ASAP in next 5.0.x version that is scheduled in February

I also understand that customers could complain about it.

In phpMyAdmin 4.9.2 the message is in black text color, but in phpMyAdmin 5.1.0-dev it is displayed with red color.

@aommundsen I now think that you changed the host between the 4.9 and the 5.0 server configuration

Hope my answer helps you

[aommundsen]

@williamdes, thank you for reply and information. I have not changed host. However please note that I have not yet upgraded to phpMyAdmin 4.9.3 or 5.0.0, I only assumed that because the demo displayed the text in red color it was because of the new version. Now I understand I was wrong, and that the red text is likely is releated to the demo using a external host. Sorry I misunderstood. I will now upgrade to from 4.9.2 to 5.0.0 in a few days, and because I have not changed host, the text should remain black. :)

[williamdes]

I will now upgrade to from 4.9.2 to 5.0.0 in a few days, and because I have not changed host, the text should remain black. :)

Thank you for your reply, I will now close the issue since you agree it is the expected behavior ;)

[aommundsen]

@williamdes, You misunderstand me. I do not agree this should be the expected behavior.

The text "Server connection: SSL is not being used" should not be displayed at all when the server is local, that should still be fixed, as it still creates support tickets from customers that think the connection is not secure.

However as the text will not be in red color after I upgrade (that was my misunderstanding), the problem will not be worce then in previous versions, so I can still upgrade.

Please make a change in future versions so that the text "Server connection: SSL is not being used" is not displayed at all when local host is used.

[aommundsen]

Also you did agree in comment above where you said this: "Okay, a configuration override must be added"

Also I am not the only one that think this must be fixed. Also the user @thk12 in comment above agree with me.

[williamdes]

Sorry for the misunderstanding @aommundsen

The focus of this issue will now be:

Please make a change in future versions so that the text "Server connection: SSL is not being used" is not displayed at all when local host is used.

and

a configuration override must be added

[williamdes]

Well. I am not going to wait for this. I am already manually patching phpMyAdmin on our servers every time we upgrade, deleting the offending code.

I totally understand and am very sorry for this situation

[bricoreur]

Hello, I'm a beginner.
To date, I am trying to configure my vps. I installed on my vps, apache2, mariadb and phpmyadmin 5.0.2. I also have the message: connection to the server: ssl is not used.
question 1:
If I understand correctly, am I really local?

Question 2:
therefore SSL is not required and would be a bug?

Thank you for your answers because I have been looking for a way to correct this error for several days?

Sorry for my ignorance.

[williamdes]

Hi @bricoreur are you sure that you did not confuse SSL as the connexion between your browser and the server ?
Because the displayed message is between php and the MySQL server (so it could be local in your case)

[bricoreur]

yes most certainly ...sorry
However, I did create a user 'tom' with an ssl connection in mariadb
status:
....
ssl: Cipher in use is TLS_AES_256_GCM_SHA384

How to make it recognized in in phpmyadmin

Is it possible or necessary?

---

if everything is on my vps (apache, mariadb, phpmyadmin....), does that mean that i'm local?

Again, I am starting to understand how it works ... but I am progressing :)

[williamdes]

if everything is on my vps (apache, mariadb, phpmyadmin....), does that mean that i'm local?

yes :)

Again, I am starting to understand how it works ... but I am progressing :)

No worries 💪

Is it possible or necessary?

I think is is possible, please have a look to https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_ssl_ciphers

[bricoreur]

I wanted to insert in config.inc.php

$ cfg ['Servers'] [$ i] ['ssl'] = true;
$ cfg ['Servers'] [$ i] ['ssl_verify'] = false
my certificate is self-signed
$ cfg ['Servers'] [$ i] ['ssl_ca'] = ca-cert.pem
$ cfg ['Servers'] [$ i] ['ssl_cert'] = server-cert.pem
$ cfg ['Servers'] [$ i] ['ssl_key'] = server-key.pem

Is it correct

[bricoreur]

I answered before reading your message..I will read your documentation

[williamdes]

@bricoreur here is one of my configurations:

$i++;
$cfg['Servers'][$i]['verbose'] = 'MariaDB 10.4 SSL';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'mariadb104.williamdes.local';
$cfg['Servers'][$i]['port'] = 3306;
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = true;
$cfg['Servers'][$i]['ssl'] = true;
$cfg['Servers'][$i]['ssl_key'] = '/etc/db-certs/client-key.pem';
$cfg['Servers'][$i]['ssl_cert'] = '/etc/db-certs/client-cert.pem';
$cfg['Servers'][$i]['ssl_ca'] = '/etc/db-certs/ca-cert.pem';
$cfg['Servers'][$i]['ssl_ca_path'] = '/etc/db-certs/';

https://github.com/wdesportes/phpmyadmin-local-setup/blob/a9ac9dc281bcfa3348e4c7ad10e00ef71cbcf546/docker-compose.yml#L3

[bricoreur]

I have users:

• root
• user
• pma

I did tests on mariadb in command line:

• root: ok - TLS_AES
• user: ok _TLS_AES

I connect to my site in https
https: // my_domain / phpmyadmin

i have a htaccess control that works well

I arrive on the phpmyadmin login page

Here is my configuration of my config.inc.php

$ cfg ['blowfish_secret'] = 'blablabla';
$ cfg ['TempDir'] = '/ var / lib / phpmyadmin / tmp';

/ **
 * Servers configuration
 * /
$ i = 0;

/ **
 * First server
 * /
$ i ++;
/ * Authentication type * /

$ cfg ['Servers'] [$ i] ['verbose'] = 'MariaDB 10.4 SSL';
$ cfg ['Servers'] [$ i] ['auth_type'] = 'cookie';

/ * Server parameters * /
$ cfg ['Servers'] [$ i] ['host'] = 'localhost';
$ cfg ['Servers'] [$ i] ['port'] = 3306;
$ cfg ['Servers'] [$ i] ['compress'] = false;
$ cfg ['Servers'] [$ i] ['AllowNoPassword'] = false;

$ cfg ['Servers'] [$ i] ['ssl'] = true;
$ cfg ['Servers'] [$ i] ['ssl_verify'] = false;
$ cfg ['Servers'] [$ i] ['ssl_key'] = '/etc/mysql/ssl/client-key.pem';
$ cfg ['Servers'] [$ i] ['ssl_cert'] = '/etc/mysql/ssl/client-cert.pem';
$ cfg ['Servers'] [$ i] ['ssl_ca'] = '/etc/mysql/ssl/ca-cert.pem';
$ cfg ['Servers'] [$ i] ['ssl_ca_path'] = '/ etc / mysql / ssl /';


// $ cfg ['Servers'] [$ i] ['socket'] = '/var/run/mysqld/mysqld.sock';
// $ cfg ['Servers'] [$ i] ['ssl_ciphers'] = 'TLS_AES_256_GCM_SHA384';

Are the user keys to be entered?

login: user
pw: xxxx

[bricoreur]

Errors :

mysqli :: real_connect (): this stream does not support SSL / crypto
mysqli :: real_connect (): Cannot connect to MySQL by using SSL
mysqli :: real_connect (): [2002] (trying to connect via (null))
mysqli :: real_connect (): (HY000 / 2002):
The connection to the “controluser” as defined in the configuration failed.
mysqli :: real_connect (): this stream does not support SSL / crypto
mysqli :: real_connect (): Cannot connect to MySQL by using SSL
mysqli :: real_connect (): [2002] (trying to connect via (null))
mysqli :: real_connect (): (HY000 / 2002):

[bricoreur]

i activate in php.ini

extension=openssl

is there anything else to do ?

the problem is the same...

[bricoreur]

i don't know if i can to say that but i followed this :
https://www.digitalocean.com/community/tutorials/how-to-install-phpmyadmin-from-source-debian-10

[williamdes]

So you are now connected but the control user is not connected and throws a warning ?

[bricoreur]

Hi,
Thank you for your help
When I want to connect with my user, I have the messages mentioned above
As if he couldn't read ssl / crypto? too difficult for my skills and I have been blocking for several days

Is it used to be in SSL with regard to my architecture?

otherwise I would still like to get there to understand and progress

[williamdes]

NB: once solved I will hide all our off-topic messages for other readers of this issue

Could you try to disable SSL in the configuration $cfg['Servers'][$i]['ssl'] = false; to see if it connects correctly ?

Maybe you could try the command mentioned here to test the connection
#16069 (comment)

I am not very sure on how to help you

You could try to re-generate the SSL cerificates using a script similar to https://github.com/wdesportes/phpmyadmin-local-setup/blob/master/public/ssl/generate.sh (consider backpacking your current certificates and private keys ?)

[thk12]

notice: to delete the annoying "Server connection", just edit templates/home/index.twig line 104+

[orzel]

Could you try to disable SSL in the configuration $cfg['Servers'][$i]['ssl'] = false; to see if it connects correctly ?

That was my first try. Doesn't work with pma 5.0.2 (and probably others).

[williamdes]

Your wishes where listened, time passes but I do not forget (I try hard not to)
Please have a look to my work on #16466