PHP & MariaDB: Establish a secure mySQL-Connection - mysql

Folks,
The Internet is full of hits on this topic, but none really helps or the information is very outdated.
I want to establish a TLS-secured connection to a mySQL database server using PHP 7.4. I want to avoid client certificates - if possible - because they are "over engineered" for my use case.
Unfortunately, I only manage to establish an unsecured connection. As soon I enforce only secure connections (require-secure-transport = on), the external Webserver is not able to connect to the DB.
With this configuration, the authentication will fail. I thought, filling $mysqli->ssl_set with NULL will initiate a TLS-Connection.
Any idea how to solve this?
mySQL-Server Configuration:
Creating Certs
mkdir /etc/mysql/certs
sudo openssl genrsa -out /etc/mysql/certs/ca-key.pem 4096
sudo openssl req -new -x509 -nodes -days 1825 -key /etc/mysql/certs/ca-key.pem -out
/etc/mysql/certs/ca-cert.pem
chown -R mysql:mysql /etc/mysql/certs/
DB-Setup /etc/mysql/mariadb.conf.d/50-server.cnf
[mysql]
general_log_file = /var/log/mysql/mysql.log
general_log = 1
log_error = /var/log/mysql/error.log
ssl_cert = /etc/mysql/certs/ca-cert.pem
ssl_key = /etc/mysql/certs/ca-key.pem
tls_version = TLSv1.2,TLSv1.3
require-secure-transport = on
bind-address = 0.0.0.0 # will allow Connections from everywhere
PHP
/var/www/html/example.php
$servername = "foo.bar";
$username = "user";
$password = "secret";
$dbname = "myDb";
$mysqli = mysqli_init();
$mysqli->ssl_set(NULL, NULL, NULL, NULL, NULL);
$mysqli->real_connect($servername, $username, $password, $dbname);


Finally, it tooks me 2 days to find the correct configuration. Hopefully it wil help others:
I am starting from scratch with Server-Side Setup (Debian Bullseye mariaDB)
1. Creating Key and Certificate on Server-side
mkdir /etc/mysql/certs
sudo openssl genrsa -out /etc/mysql/certs/ca-key.pem 4096
sudo openssl req -new -x509 -nodes -days 1825 -key /etc/mysql/certs/ca-key.pem -out /etc/mysql/certs/ca-clientcert.pem
chown -R mysql:mysql /etc/mysql/certs/
2. Change Config on Server
nano etc/mysql/mariadb.conf.d/50-server.cnf
[client]
ssl-cipher = DHE-RSA-AES256-SHA
[mysql]
log_error = /var/log/mysql/error.log
ssl_cert = /etc/mysql/certs/ca-clientcert.pem
ssl_key = /etc/mysql/certs/ca-key.pem
tls_version = TLSv1.2,TLSv1.3
require-secure-transport = on
bind-address = 0.0.0.0 # will allow Connections from everywhere
Restart the server: systemctl restart mariadb.service
3. Now on the Client-Side, following PHP will be used:
Don't forget to transfert the file ca-clientcert.pem to your Webserver!
<?php
// SETUP ENVIRONMENT
session_start();
header('Content-Type: text/html; charset=utf-8');
error_reporting(E_ALL);
ini_set("display_errors", "1");
// LOADING SENSITIVE DATA FROM NON-PUBLIC LOCATION
$certfile = "/home/files/ca-clientcert.pem";
$pwfile = "/home/files/mysecret.txt";
$fh = fopen($pwfile, 'r')
or die("Can't initialize Database connection!");;
$loadedpw = fgets($fh);
// INITILIZE DB CONNECTION
$host = "foo.bar";
$port = 3306;
$username = "user";
$password = $loadedpw;
$dbname = "databasename";
$con = mysqli_init();
mysqli_ssl_set($con, NULL, NULL, $certfile, NULL, NULL);
mysqli_options($con, MYSQLI_OPT_CONNECT_TIMEOUT, 10);
mysqli_options($con, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, false);
mysqli_real_connect($con, $host, $username, $password, $dbname, $port);
if (!$con)
{
die('<br /><br />Connect Error (' . mysqli_connect_errno() . ') '.mysqli_connect_error());
}
?>

Related

Postfix - Must issue a STARTTLS command first

I am trying to send email through gmail via postfix, but it shows me the following error:
Must issue a STARTTLS command first.
Sep 6 01:11:34 NovusTec postfix/smtp[10889]: 1284460D68: to=<cassa#gmail.co>, relay=smtp.gmail.com[64.233.190.108]:587, delay=2882, delays=2881/0.02/0.83/0.19, dsn=5.7.0, status=bounced (host smtp.gmail.com[64.233.190.108] said: 530 5.7.0 Must issue a STARTTLS command first. k65sm16819558qkf.7 - gsmtp (in reply to MAIL FROM command))
/etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localdomain, localhost, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtp_use_tls=yes
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs
I tried several configurations informed on other sites without success = \
Can anybody help me?

Your problem is your ca certificates. exactly on line smtp_tls_CAfile = /etc/ssl/certs
to confirm that, add the following to main.cf and restart postfix service.
debug_peer_list=smtp.gmail.com
debug_peer_level=3
Now send another email and look at /var/log/mail.log.
You will see this message: cannot load Certificate Authority data: disabling TLS support.
Now change smtp_tls_CAfile = /etc/ssl/certs to smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt. This is for Debian/Ubuntu, you should find the file path for your respective distribution.
Restart postfix service and test send again. You should be up and running.
Remember to remove logging lines after the issue is fixed.
#debug_peer_list=smtp.gmail.com
#debug_peer_level=3

I kept getting that error until I added in main.cf
smtp_tls_security_level=encrypt
not sure what the default is...

Cannot start phpMyAdmin with Amazon RDS

I have started an EC2 instance in Amazon and a mySQL RDS.
I am trying to install phpMyAdmin without success..
I have downloaded and extracted all files of phpMyAdmin to /var/www/html/phpMyAdmin, changed the config.inc.php to:
$cfg['Servers'][$i]['host'] = '[myDB].[randomstring].us-east-1.rds.amazonaws.com';
$cfg['Servers'][$i]['port'] = '3306';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['compress'] = TRUE;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = '?????';
$cfg['Servers'][$i]['password'] = '??????';
And when I try to enter: the phpMyAdmin folder I get the following error:
"The mbstring extension is missing. Please check your PHP
configuration."

for amazon add this before the command: sudo
so it looks like this:
sudo yum install php-mbstring

phpMyAdmin and mysql issue

I am running WAMP latest version
Everything was fine.......
I opened phpMyAdmin and added a user and a password for the user
Now I can not get into phpMyAdmin unless i set authentication type to cookie
Then I can login with my user name and no password.....but I HAVE a password....
Also MySQL console will login without a password now also....
What the heck have I done?
PHP config.ini looks like this:
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'USERNAME';
$cfg['Servers'][$i]['password'] = 'PASSWORD';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
/* End of servers configuration */
$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>
Next MySQL ini file looks like this:
# Example MySQL config file for medium systems.
#
# This is for a system with little memory (32M - 64M) where MySQL plays
# an important part, or systems up to 128M where MySQL is used together with
# other programs (such as a web server)
#
# You can copy this file to
# /etc/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is C:\mysql\data) or
# ~/.my.cnf to set user-specific options.
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = MYPASSWORD
port = 3306
socket = /tmp/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[wampmysqld]
port = 3306
socket = /tmp/mysql.sock
key_buffer = 16M
max_allowed_packet = 1M
table_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
basedir=c:/wamp/bin/mysql/mysql5.5.24
log-error=c:/wamp/logs/mysql.log
datadir=c:/wamp/bin/mysql/mysql5.5.24/data
Literally all I did was open phpMyAdmin and added a new user
What I need to do is remove both users from phpMyAdmin
THEN
Add in a user with full privileges and a password and have that match what is in
phpMyAdmin config.ini file
I should be able to do all of this from the mysql command console but i need some help with commands.
If I could just get a user added and put that info in phpMyAdmin config.ini file i just need to get in it and I can modify what i need to.
I restored SQL back to noon today and this resolved my issue however the reason I had this issue to begin with is because I was trying to load an access applications database into sql and it kept telling me I did not have access. However when I login to phpMyAdmin with the same credentials all is well.

MySQL for Linux Red Hat 5.4 - Build / Install locally as non-root - cannot start using it

I downloaded and installed My SQL from http://downloads.mysql.com/archives/mysql-5.0/mysql-5.0.91.tar.gz. The build was successfully and I installed in to a local non-root directory.
However when try to invoke mysql from command line I get the below error -
Linux:>prakash_prasad/bin/mysql-5.0.91/bin 1021> ./mysql
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
Linux:>prakash_prasad/bin/mysql-5.0.91/bin 1022>
Googling around it states modify / create - /etc/my.cnf - but I do not have permissions to create file in /etc. There has to some other fix for the above issue. I greped which MySql files in installation directory has config /tmp/mysql.sock:
Linux:>prakash_prasad/bin/mysql-5.0.91 1018> grep -ir tmp . | grep sock
./include/mysql/mysql_version.h:#define MYSQL_UNIX_ADDR "/tmp/mysql.sock"
./bin/mysqld_safe:safe_mysql_unix_port=${mysql_unix_port:-${MYSQL_UNIX_PORT:-/tmp/mysql.sock}}
./bin/mysql_config:socket='/tmp/mysql.sock'
./bin/mysqld_multi:socket = /tmp/mysql.sock2
./bin/mysqld_multi:socket = /tmp/mysql.sock3
./bin/mysqld_multi:socket = /tmp/mysql.sock4
./bin/mysqld_multi:socket = /tmp/mysql.sock6
./share/mysql/my-small.cnf:socket = /tmp/mysql.sock
./share/mysql/my-small.cnf:socket = /tmp/mysql.sock
./share/mysql/my-medium.cnf:socket = /tmp/mysql.sock
./share/mysql/my-medium.cnf:socket = /tmp/mysql.sock
./share/mysql/my-large.cnf:socket = /tmp/mysql.sock
./share/mysql/my-large.cnf:socket = /tmp/mysql.sock
./share/mysql/my-huge.cnf:socket = /tmp/mysql.sock
./share/mysql/my-huge.cnf:socket = /tmp/mysql.sock
./share/mysql/my-innodb-heavy-4G.cnf:socket = /tmp/mysql.sock
./share/mysql/my-innodb-heavy-4G.cnf:socket = /tmp/mysql.sock
./share/man/man1/mysql-stress-test.pl.1:/tmp/mysql\&.sock\&.
./share/man/man1/mysql-test-run.pl.1:shell> \fB\&.\&./mysql \-S \&./var/tmp/master\&.sock \-h localhost \-u root\fR
./share/man/man1/mysql_config.1: \-\-socket [/tmp/mysql\&.sock]
./share/man/man1/mysqld_multi.1:shell> \fBmysql \-u root \-S /tmp/mysql\&.sock \-p\fR
./share/man/man1/mysqld_multi.1:socket = /tmp/mysql\&.sock2
./share/man/man1/mysqld_multi.1:socket = /tmp/mysql\&.sock3
./share/man/man1/mysqld_multi.1:socket = /tmp/mysql\&.sock4
./share/man/man1/mysqld_multi.1:socket = /tmp/mysql\&.sock6
./share/man/man8/mysqlmanager.8:/tmp/mysqlmanager\&.sock\&. This option has no meaning on Windows\&.
./share/man/man8/mysqlmanager.8:socket=/tmp/manager\&.sock
./share/man/man8/mysqlmanager.8:socket=/tmp/mysql\&.sock
./share/man/man8/mysqlmanager.8:socket = /tmp/mysql\&.sock5
./share/man/man8/mysqlmanager.8:| socket | /tmp/mysql\&.sock3 |
./mysql-test/suite/funcs_1/views/func_view.inc:# ./mysql-test-run.pl --socket=var/tmp/master.sock --start-dirty
./mysql-test/mysql-test-run-shell:LOCAL_SOCKET=/tmp/mysql.sock
./mysql-test/mysql-test-run-shell:MASTER_MYSOCK="$MYSQL_TMP_DIR/master.sock"
./mysql-test/mysql-test-run-shell:SLAVE_MYSOCK="$MYSQL_TMP_DIR/slave.sock"
./mysql-test/mysql-test-run-shell: $MYSQLADMIN --no-defaults -uroot --socket=$MYSQL_TMP_DIR/$ident.sock$3 --connect_timeout=5 --shutdown_timeout=70 shutdown >> $MYSQL_MANAGER_LOG 2>&1
./mysql-test/mysql-test-run-shell: $MYSQLADMIN --no-defaults -uroot --socket=$MYSQL_TMP_DIR/$ident.sock$3 --connect_timeout=1 ping >> $MYSQL_MANAGER_LOG 2>&1
./mysql-test/mysql-test-run-shell: $MYSQLADMIN --no-defaults -uroot --socket=$MYSQL_TMP_DIR/$slave_ident.sock stop-slave > /dev/null 2>&1
./mysql-test/mysql-test-run: # On QNX, /tmp/dir/master.sock and /tmp/dir//master.sock seem to be
./mysql-test/mysql-test-run: my $sockdir = $opt_tmpdir;
./mysql-test/mysql-test-run: $master->[0]->{'path_sock'}= $opt_socket ? $opt_socket : "/tmp/mysql.sock";
./mysql-test/mtr: # On QNX, /tmp/dir/master.sock and /tmp/dir//master.sock seem to be
./mysql-test/mtr: my $sockdir = $opt_tmpdir;
./mysql-test/mtr: $master->[0]->{'path_sock'}= $opt_socket ? $opt_socket : "/tmp/mysql.sock";
./mysql-test/mysql-test-run.pl: # On QNX, /tmp/dir/master.sock and /tmp/dir//master.sock seem to be
./mysql-test/mysql-test-run.pl: my $sockdir = $opt_tmpdir;
./mysql-test/mysql-test-run.pl: $master->[0]->{'path_sock'}= $opt_socket ? $opt_socket : "/tmp/mysql.sock";
./mysql-test/mysql-stress-test.pl:$opt_server_socket= $opt_server_socket ? $opt_server_socket : "/tmp/mysql.sock";
Linux:>prakash_prasad/bin/mysql-5.0.91 1019>
Now I not sure what changes I have to make to be able to use it.
Thanks in advance

Create your my.cnf wherever you want and start the server with
/path/to/mysqld --defaults-file=/path/to/my.cnf

try the --defaults-extra-file=path option if you can't change the /etc/my.cnf file.
Or, if you only want to change the socket, use: --socket=/tmp/mysql.sock

phpMyAdmin - what' swrong with next configuration?

tryin to install phpMyAdmin on my Fedora server, but if i open it in browser, i get next error:
2002 Cannot log in to the MySQL server
file config.inc.php have next content:
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = '';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '123';
/* End of servers configuration */
$cfg['blowfish_secret'] = '4c45c50fe8b283.01675296';
$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
?>
just to add, in mysql i created user root, with password 123, so i can log in with:
mysql -h localhost -u root -p123
can you help me where is the problem?

mysql -h localhost actually connects via unix socket instead of a TCP connection to 127.0.0.1. Explicitly specifying mysql -h 127.0.0.1 on the other hand does use the TCP method.
So what you are testing is a local socket connection, not a network one. Make sure phpMyAdmin uses the same method; the line
$cfg['Servers'][$i]['connect_type'] = 'tcp';
should probably read
$cfg['Servers'][$i]['connect_type'] = 'socket';
Your mysqld probably has either networking disabled or user permissions denying root/123 access from the network.
With -h localhost in your example you are actually connecting over a named socket. You can see for yourself - from the mysql client type "\s":
mysql> \s
--------------
(....)
Connection: Localhost via UNIX socket

ok, i solve it.
in configuration file, i just changed 'localhost' to '127.0.0.1', and it started to work.
tnx anw!