phpmysqliphp-7

What's the difference between MYSQLI_CLIENT_SSL and MYSQLI_OPT_SSL_VERIFY_SERVER_CERT?


This is how I usually connect to a MySQL database using SSL:

$db = mysqli_init();
mysqli_ssl_set(
    $db,
    NULL,
    NULL,
    '/etc/ssl/my-certs/ssl-ca.crt.pem',
    NULL,
    NULL
);
mysqli_real_connect(
    $db,
    'db.example.com',
    'john',
    '123456',
    NULL,
    NULL,
    NULL,
    MYSQLI_CLIENT_SSL
);

From what I understand, the MYSQLI_CLIENT_SSL flag is necessary to make mysqli::real_connect connect to the server using SSL.

Today I stumbled upon the documentation for mysqli::options, and noticed that it accepts MYSQLI_OPT_SSL_VERIFY_SERVER_CERT as an option, but, alas, its description is blank. So, I wonder:

  1. When do I need to add mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);?
  2. When do I need to use the MYSQLI_CLIENT_SSL flag?
  3. When will I need to set both of them?

Solution

    1. MYSQLI_OPT_SSL_VERIFY_SERVER_CERT (true) used when you want to verify server certificate against well known authorities to ensure that this is connection to trusted host.

    2. MYSQLI_CLIENT_SSL must be always used when you need to encrypt connection.

    3. When you have on mysql-server certificate provided by authorities and want encryption + MITM-attack protection use both MYSQLI_OPT_SSL_VERIFY_SERVER_CERT and MYSQLI_CLIENT_SSL.

    More info on official documentation: MYSQLI_CLIENT_SSL, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT