SSL self-signed certifications to connect with Mysql with PHP

Question

Summary: PHP gives an error when using self-signed certificates as provided by Google Cloud SQL.

Details: I am trying to connect to Google Cloud SQL's mysql instance using PHP's mysqli library.

$db = mysqli_init();
mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$db->ssl_set('client-key.pem', 'client-cert.pem', 'server-ca.pem', NULL, NULL);
$query = mysqli_real_connect ($db, $host, $user, $pass, $dbname, 3306, NULL, MYSQLI_CLIENT_SSL);

As I understand Google cloud allows self-signed certificates, from where I downloaded the client-key.pem, client-cert.pem, server-ca.pem files.

I get the following error from PHP when validating the certificate:

mysqli_real_connect(): Peer certificate CN=`<project_name>' did not match expected CN=`<db_IP>'

Based on my research so far, it seems I need a way to disable Verify_Peer check, which apparently PHP doesn't allow. Can you please validate this and/or offer a way to use SSL with Google Cloud SQL from PHP?

Thank you.

Answer 1

It looks like the 2 relevant bugs in PHP are still not entirely resolved: #68344 and #71003.

Answer 2

Unfortunately, this is not possible yet. PHP does a lookup and the result will not match the self-signed certificate. One will contain the name and the other will contain the IP.

There is no way [currently] to have PHP ignore this, therefor connecting in this instance, via SSL, is not possible.

Answer 3

you need to Replace

$query = mysqli_real_connect ($db, $host, $user, $pass, $dbname, 3306, NULL, MYSQLI_CLIENT_SSL);

With

$query = mysqli_real_connect ($db, $host, $user, $pass, $dbname, 3306, NULL, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT);

it is Like MYSQLI_CLIENT_SSL, but disables validation of the provided SSL certificate. This is only for installations using MySQL Native Driver and MySQL 5.6 or later.

Hope it will help.