This is how I usually connect to a MySQL database using SSL:
$db = mysqli_init();
mysqli_ssl_set(
$db,
NULL,
NULL,
'/etc/ssl/my-certs/ssl-ca.crt.pem',
NULL,
NULL
);
mysqli_real_connect(
$db,
'db.example.com',
'john',
'123456',
NULL,
NULL,
NULL,
MYSQLI_CLIENT_SSL
);
From what I understand, the MYSQLI_CLIENT_SSL
flag is necessary to make mysqli::real_connect
connect to the server using SSL.
Today I stumbled upon the documentation for mysqli::options
, and noticed that it accepts MYSQLI_OPT_SSL_VERIFY_SERVER_CERT
as an option, but, alas, its description is blank. So, I wonder:
mysqli_options($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
?MYSQLI_CLIENT_SSL
flag?MYSQLI_OPT_SSL_VERIFY_SERVER_CERT
(true) used when you want to verify server certificate against well known authorities to ensure that this is connection to trusted host.
MYSQLI_CLIENT_SSL
must be always used when you need to encrypt connection.
When you have on mysql-server certificate provided by authorities and want encryption + MITM-attack protection use both MYSQLI_OPT_SSL_VERIFY_SERVER_CERT
and MYSQLI_CLIENT_SSL
.
More info on official documentation: MYSQLI_CLIENT_SSL, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT