1. 技术文章
  2. php 5.x 7.x, ssl pdo error: Peer certificate CN=`someName' did not match expected CN='someIP'

php 5.x 7.x, ssl pdo error: Peer certificate CN=`someName' did not match expected CN='someIP'

做~自己de王妃 提交于 2019-12-23 03:32:14

问题


We have a server with mysql on port 3306. We have sertifications and key and we try to connect to this server. But we see such problem:

Peer certificate CN='SomeName' did not match expected CN='someIP'

I've read a lot of articles and can't find answer for PDO PHP. The most interesting is that the SQLYog could connect with all settings.

I've read that I verify_peer_names can be disabled (I hope I understand what is peer_names...), but only if we use openssl_{functions} or mysqli, not PDO. Both options are not appropriate for me. I need PDO.

What I tried to do:

  • switch between versions of php. It helped me, but I need 5.6 or higher. For php 7.0 the same error.
  • find another versions of openssl and pdo; fast I understood that its a bad idea :)
  • find some settings in php.ini, but no settings for my problem, only for creating ssl.

My code for connection:

$dbInfo = array
(
'dsn' => 'mysql:host=123.45.67.890;dbname=someDB;port=3306',
'user' => 'user',
'pass' => 'userpassword'
);

$con = new PDO
    (
    $dbInfo['dsn'], $dbInfo['user'], $dbInfo['pass'], 
    array(
        PDO::MYSQL_ATTR_SSL_CIPHER => 'AES256-SHA',
        PDO::MYSQL_ATTR_SSL_CA     => 'SSLCert/ca-cert.pem',
        PDO::MYSQL_ATTR_SSL_KEY    => 'SSLCert/client-key.pem',
        PDO::MYSQL_ATTR_SSL_CERT   => 'SSLCert/client-cert.pem',
    )
    );

echo 'Connection OK!';

回答1:


We got it working for our internal self-signed certs by not using IP addresses but machine(+domain) names as the CN and connection settings.

So, put 'dbServer1.company.local' as the CN for the server certificate and use the same 'dbServer1.company.local' address as the host part of the DSN for the PDO connection. If you like, you can just use 'dbServer1' but make sure you use it in both places.

This will get you going:

$pdo_options = array(
    PDO::MYSQL_ATTR_SSL_KEY => 'path/to/client-key.pem',
    PDO::MYSQL_ATTR_SSL_CERT => 'path/to/client-cert.pem',
    PDO::MYSQL_ATTR_SSL_CA => 'path/to/ca.pem'
);

PDO::__construct('mysql:host=dbServer1.company.local;dbname=someDB','someUser', 'somePass', $pdo_options);

We manage our own DNS so resolving dbServer1.company.local is not an issue but if your webserver cannot resolve it you or you don't/can't manage the DNS entry, then hack in something like the following to your etc/hosts file:

10.5.5.20 dbServer1.company.local

or

10.5.5.20 dbServer1


来源:https://stackoverflow.com/questions/38719607/php-5-x-7-x-ssl-pdo-error-peer-certificate-cn-somename-did-not-match-expecte

标签
mysql
ssl
pdo
php-7
php-5.6
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!