PHP to MySQL Amazon RDS with SSL, confirm SSL
I'm finding lots of conflicting information regarding usage of the MYSQL_CLIENT_SSL flag with a mysql_connect() call, vs setting up and SSH tunnel... Is MYSQL_CLIENT_SSL acceptable? the official documentation seems to indicate yes, but lots of posts on stack and elsewhere say that a tunnel is better but don't explain.
How can I verify that I'm ac开发者_开发问答tually getting an encrypted connection if I use MYSQL_CLIENT_SSL? I have added it to my mysql_connect() call and it doesn't throw any errors, I assume it's working, but how can I be sure?
You can check it using this:
$connection = mysql_connect([host], [username], [password], false, MYSQL_CLIENT_SSL)
or die(mysql_error());
$res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';", $connection);
print_r(mysql_fetch_row($res));
The output should look like this
Array
(
[0] => Ssl_cipher
[1] => xxx-xxx-xxxxxx-xxx
)
I know it's an old question, but I had this problem too and solved it so thought I would share my answer for posterity.
Amazon's docs are pretty helpful. First you need to download the mysql-ssl-ca-cert.pem file from Amazon (see the link). Then try to connect from the terminal using that file.
mysql --host=mydb.c83ks9ckdk39.us-east-1.rds.amazonaws.com --user=myuser -p --ssl_ca=mysql-ssl-ca-cert.pem
Amazon says that you can restrict a connection to SSL by using this grant statement, so run this statement while connected.
GRANT USAGE ON *.* TO 'myuser'@'%' REQUIRE SSL
Now disconnect and try to connect again without the "--ssl_ca=mysql-ssl-ca-cert.pem" flag. If you are denied, then you know that SSL connections are now required for this user. Now you just need to setup php correctly. Something like this:
$link = mysqli_init();
mysqli_options($link, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$link->ssl_set(NULL,NULL,"mysql-ssl-ca-cert.pem",NULL,NULL);
$ok = $link->real_connect($MYSQL['host'], $MYSQL['user'], $MYSQL['pass'], $MYSQL['db'], 3306, NULL, MYSQLI_CLIENT_SSL);
If you can connect then you are connected with SSL and you can run Tom's query to confirm if you want.
$rs = $link->query("SHOW STATUS LIKE 'ssl_cipher'");
print_r($rs->fetch_assoc());
精彩评论