diff options
-rw-r--r-- | application/config/database.php | 11 | ||||
-rw-r--r-- | system/database/drivers/mysqli/mysqli_driver.php | 72 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
3 files changed, 39 insertions, 45 deletions
diff --git a/application/config/database.php b/application/config/database.php index 429b4d48a..656f0c35a 100644 --- a/application/config/database.php +++ b/application/config/database.php @@ -40,6 +40,16 @@ defined('BASEPATH') OR exit('No direct script access allowed'); | Sites using Latin-1 or UTF-8 database character set and collation are unaffected. | ['swap_pre'] A default table prefix that should be swapped with the dbprefix | ['encrypt'] Whether or not to use an encrypted connection. +| +| 'mysql' (deprecated), 'sqlsrv' and 'pdo/sqlsrv' drivers accept TRUE/FALSE +| 'mysqli' driver accepts an array with the following options: +| +| 'ssl_key' - Path to the private key file +| 'ssl_cert' - Path to the public key certificate file +| 'ssl_ca' - Path to the certificate authority file +| 'ssl_capath' - Path to a directory containing trusted CA certificats in PEM format +| 'ssl_cipher' - List of *allowed* ciphers to be used for the encryption +| | ['compress'] Whether or not to use client compression (MySQL only) | ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections | - good for ensuring strict SQL while developing @@ -80,7 +90,6 @@ $db['default'] = array( 'encrypt' => FALSE, 'compress' => FALSE, 'stricton' => FALSE, - 'ssl_options' => array(), 'failover' => array(), 'save_queries' => TRUE ); diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index 61a37bd03..82abf4e73 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -86,21 +86,6 @@ class CI_DB_mysqli_driver extends CI_DB { */ public $stricton = FALSE; - /** - * Used to set various SSL options that can be used when making SSL connections. - * - * @see http://php.net/manual/en/mysqli.ssl-set.php Documentation for MySQLi - * - * @var array - */ - public $ssl_options = array( - "ssl_key" => '', // The path name to the key file. - "ssl_cert" => '', // The path name to the certificate file. - "ssl_ca" => '', // The path name to the certificate authority file. - "ssl_capath" => '', // The pathname to a directory that contains trusted SSL CA certificates in PEM format. - "ssl_cipher" => '' // A list of allowable ciphers to use for SSL encryption. - ); - // -------------------------------------------------------------------- /** @@ -117,7 +102,6 @@ class CI_DB_mysqli_driver extends CI_DB { * * @param bool $persistent * @return object - * @todo SSL support */ public function db_connect($persistent = FALSE) { @@ -147,45 +131,45 @@ class CI_DB_mysqli_driver extends CI_DB { $mysqli->options(MYSQLI_INIT_COMMAND, 'SET SESSION sql_mode="STRICT_ALL_TABLES"'); } - if ($this->encrypt === TRUE) + if (is_array($this->encrypt)) { - $ssl_key = array_key_exists('ssl_key', $this->ssl_options) ? $this->ssl_options['ssl_key'] : ''; - $ssl_cert = array_key_exists('ssl_cert', $this->ssl_options) ? $this->ssl_options['ssl_cert'] : ''; - $ssl_ca = array_key_exists('ssl_ca', $this->ssl_options) ? $this->ssl_options['ssl_ca'] : ''; - $ssl_capath = array_key_exists('ssl_capath', $this->ssl_options) ? $this->ssl_options['ssl_capath'] : ''; - $ssl_cipher = array_key_exists('ssl_cipher', $this->ssl_options) ? $this->ssl_options['ssl_cipher'] : ''; - - $mysqli->ssl_set($ssl_key, $ssl_cert, $ssl_ca, $ssl_capath, $ssl_cipher); - $client_flags |= MYSQLI_CLIENT_SSL; + $ssl = array(); + empty($this->encrypt['ssl_key']) OR $ssl['key'] = $this->encrypt['ssl_key']; + empty($this->encrypt['ssl_cert']) OR $ssl['cert'] = $this->encrypt['ssl_cert']; + empty($this->encrypt['ssl_ca']) OR $ssl['ca'] = $this->encrypt['ssl_ca']; + empty($this->encrypt['ssl_capath']) OR $ssl['capath'] = $this->encrypt['ssl_capath']; + empty($this->encrypt['ssl_cipher']) OR $ssl['cipher'] = $this->encrypt['ssl_cipher']; + + if ( ! empty($ssl)) + { + $client_flags |= MYSQLI_CLIENT_SSL; + $mysqli->ssl_set( + isset($ssl['key']) ? $ssl['key'] : NULL, + isset($ssl['cert']) ? $ssl['cert'] : NULL, + isset($ssl['ca']) ? $ssl['ca'] : NULL, + isset($ssl['capath']) ? $ssl['capath'] : NULL, + isset($ssl['cipher']) ? $ssl['cipher'] : NULL + ); + } } - $connected = @$mysqli->real_connect($hostname, $this->username, $this->password, $this->database, $port, $socket, $client_flags); - - if ($connected) + if ($mysqli->real_connect($hostname, $this->username, $this->password, $this->database, $port, $socket, $client_flags)) { - // If SSL was requested we want to do some checking and log an error if an SSL connection wasn't established. - if ($this->encrypt === TRUE) + // Prior to version 5.7.3, MySQL silently downgrades to an unencrypted connection if SSL setup fails + if (($client_flags & MYSQLI_CLIENT_SSL) && version_compare($mysqli->client_info, '5.7.3', '<=')) { - $res = $mysqli->query("SHOW STATUS LIKE 'ssl_cipher';"); - $ssl_status = $res->fetch_row(); - - if ($ssl_status[1] == '') + $ssl = $mysqli->query("SHOW STATUS LIKE 'ssl_cipher'")->fetch_row(); + if (empty($ssl[1])) { - log_message('error', - "Problem With MySQLi SSL: An SSL connection was requested but the resulting connection is not using SSL!"); + $mysqli->close(); + $message = 'MySQLi was configured for an SSL connection, but got an unencrypted connection instead!'; + log_message('error', $message); + return ($this->db->db_debug) ? $this->db->display_error($message, '', TRUE) : FALSE; } } return $mysqli; } - else - { - if ($mysqli->connect_errno) - { - log_message('error', - 'msqli connect failed, error: ' . mysqli_connect_error() . " | " . $mysqli->connect_error . " | " . $mysqli->connect_errno); - } - } return FALSE; } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index d175f4b90..da4d8ff9a 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -14,6 +14,7 @@ Release Date: Not Released - Database - Added ``list_fields()`` support for SQLite ('sqlite3' and 'pdo_sqlite' drivers). + - Added support for setting SSL options for the 'mysqli' driver. - Libraries |