问题
This is how I usually connect to a MySQL database using SSL:
$db = mysqli_init();
mysqli_ssl_set(
$db,
NULL,
NULL,
'/etc/ssl/my-certs/ssl-ca.crt.pem',
NULL,
NULL
);
mysqli_real_connect(
$db,
'db.example.com',
'john',
'123456',
NULL,
NULL,
NULL,
MYSQLI_CLIENT_SSL
);
From what I understand, the MYSQLI_CLIENT_SSL flag is necessary to make mysqli::real_connect connect to the server using SSL.
Today I stumbled upon the documentation for mysqli::options, and noticed that it accepts MYSQLI_OPT_SSL_VERIFY_SERVER_CERT as an option, but, alas, its description is blank. So, I wonder:
- When do I need to add
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);? - When do I need to use the
MYSQLI_CLIENT_SSLflag? - When will I need to set both of them?
回答1:
MYSQLI_OPT_SSL_VERIFY_SERVER_CERT(true) used when you want to verify server certificate against well known authorities to ensure that this is connection to trusted host. Do not use it if you have self-signed certificate on server.MYSQLI_CLIENT_SSLmust be always used when you need to encrypt connection.When you have on mysql-server certificate provided by authorities and want encryption + MITM-attack protection use both
MYSQLI_OPT_SSL_VERIFY_SERVER_CERTandMYSQLI_CLIENT_SSL.
来源:https://stackoverflow.com/questions/54061930/whats-the-difference-between-mysqli-client-ssl-and-mysqli-opt-ssl-verify-server