开发者

PHP to MySQL Amazon RDS with SSL, confirm SSL

I'm finding lots of conflicting information regarding usage of the MYSQL_CLIENT_SSL flag with a mysql_connect() call, vs setting up and SSH tunnel... Is MYSQL_CLIENT_SSL acceptable? the official documentation seems to indicate yes, but lots of posts on stack and elsewhere say that a tunnel is better but don't explain.

How can I verify that I'm ac开发者_开发问答tually getting an encrypted connection if I use MYSQL_CLIENT_SSL? I have added it to my mysql_connect() call and it doesn't throw any errors, I assume it's working, but how can I be sure?


You can check it using this:

$connection = mysql_connect([host], [username], [password], false, MYSQL_CLIENT_SSL)
    or die(mysql_error());
$res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';", $connection);
print_r(mysql_fetch_row($res));

The output should look like this

Array
(
    [0] => Ssl_cipher
    [1] => xxx-xxx-xxxxxx-xxx
)


I know it's an old question, but I had this problem too and solved it so thought I would share my answer for posterity.

Amazon's docs are pretty helpful. First you need to download the mysql-ssl-ca-cert.pem file from Amazon (see the link). Then try to connect from the terminal using that file.

mysql --host=mydb.c83ks9ckdk39.us-east-1.rds.amazonaws.com --user=myuser -p --ssl_ca=mysql-ssl-ca-cert.pem

Amazon says that you can restrict a connection to SSL by using this grant statement, so run this statement while connected.

GRANT USAGE ON *.* TO 'myuser'@'%' REQUIRE SSL

Now disconnect and try to connect again without the "--ssl_ca=mysql-ssl-ca-cert.pem" flag. If you are denied, then you know that SSL connections are now required for this user. Now you just need to setup php correctly. Something like this:

$link = mysqli_init();
mysqli_options($link, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$link->ssl_set(NULL,NULL,"mysql-ssl-ca-cert.pem",NULL,NULL); 
$ok = $link->real_connect($MYSQL['host'], $MYSQL['user'], $MYSQL['pass'], $MYSQL['db'], 3306, NULL, MYSQLI_CLIENT_SSL);

If you can connect then you are connected with SSL and you can run Tom's query to confirm if you want.

$rs = $link->query("SHOW STATUS LIKE 'ssl_cipher'");
print_r($rs->fetch_assoc());
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜