[Apache/2] PHP 8.0.11 - phpMyAdmin
169 views
Skip to first unread message
Rich Dunkle
Oct 20, 2021, 8:57:39 AM10/20/21
to apa...@googlegroups.com
phpMyAdmin 5.1.1 is working OK.
I spent a couple days doing various chores on a remote FreeBSD MariaDB
10.4.21_1 server.
I never ran phpmyadmin connected remotely. In the past I am running on
the same host as the MariaDB server.
I found one problem with what MariaDB calls "Two-Way TLS for MariaDB
Clients"
I have been only able to connect to the server either unencrypted or
with what MariaDB calls "One-Way TLS for MariaDB Clients." I am not
sure where the guilty piece of software is... client or server.
I see on the server an authentication problem:
2021-10-20 15:20:06 24 [Warning] Aborted connection 24 to db:
'unconnected' user: 'unauthenticated' host: 'mac4' (This connection
closed normally without authentication)
I only see this if I turn on the client certificate in phpmyadmin. The
DB knows / has a user @mac4 that works OK, in the One-Way TLS mode. I
suppose the only way to find the guilty piece is to run a version of
MySQL client on the Arca machine.
Other than that phpMyAdmin runs just fine.
I spent a couple days doing various chores on a remote FreeBSD MariaDB
10.4.21_1 server.
I never ran phpmyadmin connected remotely. In the past I am running on
the same host as the MariaDB server.
I found one problem with what MariaDB calls "Two-Way TLS for MariaDB
Clients"
I have been only able to connect to the server either unencrypted or
with what MariaDB calls "One-Way TLS for MariaDB Clients." I am not
sure where the guilty piece of software is... client or server.
I see on the server an authentication problem:
2021-10-20 15:20:06 24 [Warning] Aborted connection 24 to db:
'unconnected' user: 'unauthenticated' host: 'mac4' (This connection
closed normally without authentication)
I only see this if I turn on the client certificate in phpmyadmin. The
DB knows / has a user @mac4 that works OK, in the One-Way TLS mode. I
suppose the only way to find the guilty piece is to run a version of
MySQL client on the Arca machine.
Other than that phpMyAdmin runs just fine.
Steven Levine
Oct 20, 2021, 12:39:35 PM10/20/21
to apa...@googlegroups.com
In <c51897bd-f9bb-2bce...@smallcatbrain.com>, on 10/20/21
at 03:57 PM, Rich Dunkle <rdu...@smallcatbrain.com> said:
Hi,
>phpMyAdmin 5.1.1 is working OK.
Good to hear. It's sorta on my list to get a current phpMyAdmin setup
here. The last time I needed it was in the v4.x days.
>I found one problem with what MariaDB calls "Two-Way TLS for MariaDB
>Clients"
Do you understand the requirements for two way TLS? Did you set up a
client certicate that will be acceptable to the server?
Based on my understanding, the configuration needs to be done in either
phpMyAdmin or php itself. See:
https://stackoverflow.com/questions/331856/connecting-phpmyadmin-to-a-mysql-server-over-ssl
Basically the responsible party on the client side needs to know how to
send the client certificate when the server requests it.
Two-way TLS is effectively same as stunnel's Verify = 3 configuration
option. This sets the server to require the client to provide a valid,
tracable certificate.
The way this works for self-signed certificates is that the client
certificates are signed by the self-signed root certificate for the
server.
In the case of stunnel, the server is going to look for the trusted
certificates in the directory specified by CAPath in stunnel.conf. This
directory contains the trusted certificates both for the clients and the
server.
Based on
https://mariadb.com/kb/en/securing-connections-for-client-and-server/#enabling-one-way-tls-for-mariadb-clients-without-server-certificate-verification
it appears that MariaDB operates similarly. For a mysql connection, you
need to have something like:
[client-mariadb]
...
ssl_cert = /etc/my.cnf.d/certificates/client-cert.pem
ssl_key = /etc/my.cnf.d/certificates/client-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
in the mysql client options file. This would allow mysql to find the
certificate to send as well as verify the server certificate.
https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
is a pretty good overview of the entire process.
I've not yet found the proper cookbook for setting this up for phpMyAdmin.
It's going to be either a php configuration item or a phpMyAdmin
configuration item.
Steven
--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
at 03:57 PM, Rich Dunkle <rdu...@smallcatbrain.com> said:
Hi,
>phpMyAdmin 5.1.1 is working OK.
here. The last time I needed it was in the v4.x days.
>I found one problem with what MariaDB calls "Two-Way TLS for MariaDB
>Clients"
client certicate that will be acceptable to the server?
Based on my understanding, the configuration needs to be done in either
phpMyAdmin or php itself. See:
https://stackoverflow.com/questions/331856/connecting-phpmyadmin-to-a-mysql-server-over-ssl
Basically the responsible party on the client side needs to know how to
send the client certificate when the server requests it.
Two-way TLS is effectively same as stunnel's Verify = 3 configuration
option. This sets the server to require the client to provide a valid,
tracable certificate.
The way this works for self-signed certificates is that the client
certificates are signed by the self-signed root certificate for the
server.
In the case of stunnel, the server is going to look for the trusted
certificates in the directory specified by CAPath in stunnel.conf. This
directory contains the trusted certificates both for the clients and the
server.
Based on
https://mariadb.com/kb/en/securing-connections-for-client-and-server/#enabling-one-way-tls-for-mariadb-clients-without-server-certificate-verification
it appears that MariaDB operates similarly. For a mysql connection, you
need to have something like:
[client-mariadb]
...
ssl_cert = /etc/my.cnf.d/certificates/client-cert.pem
ssl_key = /etc/my.cnf.d/certificates/client-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
in the mysql client options file. This would allow mysql to find the
certificate to send as well as verify the server certificate.
https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
is a pretty good overview of the entire process.
I've not yet found the proper cookbook for setting this up for phpMyAdmin.
It's going to be either a php configuration item or a phpMyAdmin
configuration item.
Steven
--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
Rich Dunkle
Oct 21, 2021, 10:17:12 AM10/21/21
to apa...@googlegroups.com
I use ssl and certificates on Samba domain controller, sendmail server,
imap server, poudriere server, apache, and nginx. I use Let's Encrypt
certificates.
Yeah, I see no "follow these steps to make this work" type answer. That
is why I was wanting to study this type of connection. Most people want
to do a self signed certificate.
When I enable the certificate on the phpMyAdmin (client side).
I see this error on the webpage when phpmyadmin tries to connect to the
MariaDB:
mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error
messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
So... to get past that error (on the client side)-->
$cfg['Servers'][$i]['ssl_verify'] = false;
Then I see this error:
mysqli::real_connect(): SSL operation failed with code 1. OpenSSL
Error messages: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
unknown ca
I think this is the smoking gun:
d:\web\phpmyadmin\cert>openssl s_client -connect smp5.smallcatbrain.com:3306
> d:\desktop\aa.txt
537102848:error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ss
l/record/ssl3_record.c:331:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 326 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I will take a fresh look at this in a couple of days.
Rich Dunkle
Oct 23, 2021, 7:44:15 AM10/23/21
to apa...@googlegroups.com
----8<--- snip --
---
>
> I will take a fresh look at this in a couple of days.
>
I found some interesting information about openssl and phpMyAdmin...
For debug of db server there is a special parameter--> -starttls mysql
openssl s_client -starttls mysql -CAfile
d:\web\phpmyadmin\cert\mac4.smallcatbrain.com.cer -connect
smp5.smallcatbrain.com:3306
And the server does show that it is functional.
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.smallcatbrain.com
verify return:1
bad select 22
---
CONNECTED(00000003)
---
Certificate chain
0 s:CN = *.smallcatbrain.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
---- snip --- 8< ---- snip --
Then I found there is a bug that is allegedly to be fixed in phpMyAdmin
5.1.3.
https://github.com/phpmyadmin/phpmyadmin/issues/16069
---
>
> I will take a fresh look at this in a couple of days.
>
For debug of db server there is a special parameter--> -starttls mysql
openssl s_client -starttls mysql -CAfile
d:\web\phpmyadmin\cert\mac4.smallcatbrain.com.cer -connect
smp5.smallcatbrain.com:3306
And the server does show that it is functional.
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.smallcatbrain.com
verify return:1
bad select 22
---
CONNECTED(00000003)
---
Certificate chain
0 s:CN = *.smallcatbrain.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
---- snip --- 8< ---- snip --
Then I found there is a bug that is allegedly to be fixed in phpMyAdmin
5.1.3.
https://github.com/phpmyadmin/phpmyadmin/issues/16069
Reply all
Reply to author
Forward
0 new messages