msphpsql icon indicating copy to clipboard operation
msphpsql copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Allow configuration of SSL/TLS connection options

Open fabiang opened this issue 2 years ago • 7 comments

Hello,

based on my old issue #1021, it's quite possible that people are actively lowering their security by allowing older cipher suites, so they just can connect to SQLServers with old certificates. Instead it should be possible to define the ciphers used for the TSL connection to the SQLServer.

PDO_MYSQL already has support for this:

PDO::MYSQL_ATTR_SSL_CA (int) The file path to the SSL certificate authority.

PDO::MYSQL_ATTR_SSL_CAPATH (int) The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format.

PDO::MYSQL_ATTR_SSL_CERT (int) The file path to the SSL certificate.

PDO::MYSQL_ATTR_SSL_CIPHER (int) A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. For example: DHE-RSA-AES256-SHA:AES128-SHA

PDO::MYSQL_ATTR_SSL_KEY (int) The file path to the SSL key.

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT (int) Provides a way to disable verification of the server SSL certificate.

This exists as of PHP 7.0.18 and PHP 7.1.4.

PDO::*_ATTR_SSL_VERIFY_SERVER_CERT is already possible through connection parameter TrustServerCertificate.

So please implement those attributes or as connection parameters.

fabiang avatar Jun 20 '23 08:06 fabiang

It looks like that none of the other PDO drivers supports this. Is passing a PHP stream context as parameter/attribute the better option?

fabiang avatar Jun 20 '23 08:06 fabiang

Can these be specified in the connection string for MySQL server?

v-makouz avatar Jun 20 '23 22:06 v-makouz

Can these be specified in the connection string for MySQL server?

No, only per config and attributes. Idk if mysqlnd has support for the attributes/config.

fabiang avatar Jun 21 '23 08:06 fabiang

It's unlikely we'd be able to add these settings, since most of them are not part of the driver. In addition to TrustServerCertificate the is also ServerCertificate that allows one to specify a .pem, but the other attributes seem like the OpenSSL settings that the driver doesn't control. OpenSSL has its own config files, which may allow specifying these values.

v-makouz avatar Jun 23 '23 21:06 v-makouz

So I guess I can close this, since is required to implement this upstream into msodbc?

fabiang avatar Jul 06 '23 20:07 fabiang

@v-makouz , I note that if ServerCertificate => '/path/to/.pem' exists on pdo_sqlsrv, it's not documented here:

https://learn.microsoft.com/en-us/sql/connect/php/connection-options?view=sql-server-ver16

To use it for 'certificate pinning' would be nice.

HenkPoley avatar Jul 12 '23 14:07 HenkPoley

I'll take a look at that doc. I believe that anything in the connection string gets passed by PHP driver to the underlying ODBC Driver, so anything supported by that should work, but I'll double check to make sure.

v-makouz avatar Jul 13 '23 16:07 v-makouz