ext-mysqlnd: can't set SSL server hostname verification independent of general certificate validation

[hartmut-mariadb]

Description

The mysql command line client and related tools verify SSL certificates, but by default do not verify that the server name used to connect matches the Subject CN, or one of the SAN extension entries, of the server certificate.

This additional verification needs to be requested using the --ssl-verify-server-cert option (which was not the best name for this, -ssl-verify-server-cert-hostname would have been a better choice, bu that is a different story); or when using encrypted replication: the MASTER_SSL_VERIFY_SERVER_CERT=1 option to CHANGE MASTER.

With mysqlnd though both verification aspects are tightly coupled, and can only be both on, or both off, controlled by the single MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT flag.

See also: ext/mysqlnd/mysqlnd_vio.c:

555                 ZVAL_BOOL(&verify_peer_zval, verify);
556                 php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
557                 php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);

https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_vio.c#L555

There needs to be an extra option like MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_HOSTNAME to control hostname verification independent of general certificate verification.

PHP Version

PHP 8.1.2

Operating System

Ubuntu 22.04

[cmb69]

Looks related to #8577.

[hholzgra]

indeed ... it's the first time I filed a PHP bug via github, and not good old bugs.php.net

I'm not used to the new way to search yet (to keep it neutral)

[hartmut-mariadb]

Turns out host name checks can't be controlled independently of other certificate checks with mysql CLI either, the {{--ssl-verify-server-cert}} command line option there also controls other checks like "is certificate expired".

The "mysql --help" output turns out to provide wrong information there.

The only server certificate checks that seems to happen by default are:

• explicit ssl-ca given and server certificate is not signed by it
• extendedKeyUsage does not include serverAuth flag

So I suggest to put this report on hold for now, until we have resolved the CLI help output issue and related confusion.

[bukka]

@hartmut-mariadb Is there anything we should do about this? I mean is the CLI issue resolved? The report seems more like a feature request as it was more about missing functionality so changing that to Feature - we would not be adding a new option as a bug fix...

[github-actions]

No feedback was provided. The issue is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so. Thank you.