From 76e643e7e3ebff679407255f66eafae790912f31 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 16 Jul 2015 13:14:49 +0300 Subject: Refactor proposed changes from PR #3896 --- system/database/drivers/mysqli/mysqli_driver.php | 72 +++++++++--------------- 1 file changed, 28 insertions(+), 44 deletions(-) (limited to 'system/database') diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index 61a37bd03..82abf4e73 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -86,21 +86,6 @@ class CI_DB_mysqli_driver extends CI_DB { */ public $stricton = FALSE; - /** - * Used to set various SSL options that can be used when making SSL connections. - * - * @see http://php.net/manual/en/mysqli.ssl-set.php Documentation for MySQLi - * - * @var array - */ - public $ssl_options = array( - "ssl_key" => '', // The path name to the key file. - "ssl_cert" => '', // The path name to the certificate file. - "ssl_ca" => '', // The path name to the certificate authority file. - "ssl_capath" => '', // The pathname to a directory that contains trusted SSL CA certificates in PEM format. - "ssl_cipher" => '' // A list of allowable ciphers to use for SSL encryption. - ); - // -------------------------------------------------------------------- /** @@ -117,7 +102,6 @@ class CI_DB_mysqli_driver extends CI_DB { * * @param bool $persistent * @return object - * @todo SSL support */ public function db_connect($persistent = FALSE) { @@ -147,45 +131,45 @@ class CI_DB_mysqli_driver extends CI_DB { $mysqli->options(MYSQLI_INIT_COMMAND, 'SET SESSION sql_mode="STRICT_ALL_TABLES"'); } - if ($this->encrypt === TRUE) + if (is_array($this->encrypt)) { - $ssl_key = array_key_exists('ssl_key', $this->ssl_options) ? $this->ssl_options['ssl_key'] : ''; - $ssl_cert = array_key_exists('ssl_cert', $this->ssl_options) ? $this->ssl_options['ssl_cert'] : ''; - $ssl_ca = array_key_exists('ssl_ca', $this->ssl_options) ? $this->ssl_options['ssl_ca'] : ''; - $ssl_capath = array_key_exists('ssl_capath', $this->ssl_options) ? $this->ssl_options['ssl_capath'] : ''; - $ssl_cipher = array_key_exists('ssl_cipher', $this->ssl_options) ? $this->ssl_options['ssl_cipher'] : ''; - - $mysqli->ssl_set($ssl_key, $ssl_cert, $ssl_ca, $ssl_capath, $ssl_cipher); - $client_flags |= MYSQLI_CLIENT_SSL; + $ssl = array(); + empty($this->encrypt['ssl_key']) OR $ssl['key'] = $this->encrypt['ssl_key']; + empty($this->encrypt['ssl_cert']) OR $ssl['cert'] = $this->encrypt['ssl_cert']; + empty($this->encrypt['ssl_ca']) OR $ssl['ca'] = $this->encrypt['ssl_ca']; + empty($this->encrypt['ssl_capath']) OR $ssl['capath'] = $this->encrypt['ssl_capath']; + empty($this->encrypt['ssl_cipher']) OR $ssl['cipher'] = $this->encrypt['ssl_cipher']; + + if ( ! empty($ssl)) + { + $client_flags |= MYSQLI_CLIENT_SSL; + $mysqli->ssl_set( + isset($ssl['key']) ? $ssl['key'] : NULL, + isset($ssl['cert']) ? $ssl['cert'] : NULL, + isset($ssl['ca']) ? $ssl['ca'] : NULL, + isset($ssl['capath']) ? $ssl['capath'] : NULL, + isset($ssl['cipher']) ? $ssl['cipher'] : NULL + ); + } } - $connected = @$mysqli->real_connect($hostname, $this->username, $this->password, $this->database, $port, $socket, $client_flags); - - if ($connected) + if ($mysqli->real_connect($hostname, $this->username, $this->password, $this->database, $port, $socket, $client_flags)) { - // If SSL was requested we want to do some checking and log an error if an SSL connection wasn't established. - if ($this->encrypt === TRUE) + // Prior to version 5.7.3, MySQL silently downgrades to an unencrypted connection if SSL setup fails + if (($client_flags & MYSQLI_CLIENT_SSL) && version_compare($mysqli->client_info, '5.7.3', '<=')) { - $res = $mysqli->query("SHOW STATUS LIKE 'ssl_cipher';"); - $ssl_status = $res->fetch_row(); - - if ($ssl_status[1] == '') + $ssl = $mysqli->query("SHOW STATUS LIKE 'ssl_cipher'")->fetch_row(); + if (empty($ssl[1])) { - log_message('error', - "Problem With MySQLi SSL: An SSL connection was requested but the resulting connection is not using SSL!"); + $mysqli->close(); + $message = 'MySQLi was configured for an SSL connection, but got an unencrypted connection instead!'; + log_message('error', $message); + return ($this->db->db_debug) ? $this->db->display_error($message, '', TRUE) : FALSE; } } return $mysqli; } - else - { - if ($mysqli->connect_errno) - { - log_message('error', - 'msqli connect failed, error: ' . mysqli_connect_error() . " | " . $mysqli->connect_error . " | " . $mysqli->connect_errno); - } - } return FALSE; } -- cgit v1.2.3-24-g4f1b