I had to transfers our databases to a new server and that server requires encypted connection. So I get this error when trying to run Omeka-S with new database server:
An exception occurred in driver: SQLSTATE[HY000] [3159] Connections using insecure transport are prohibited while --require_secure_transport=ON
I couldn’t find way to provide location of certificate files in database.ini. There was an earlier post saying that Zend does not support ssl, but maybe Laminas will?
Any help appreciated!
This thread is still the best information, I think.
Omeka S should support an SSL connection to the database if you need one, it just will have to be set in the database.ini file somewhat awkwardly: you need to specify driverOptions lines for each one with the correct number for the PDO constant you’re looking to use. In the thread I give this example:
driverOptions[1014] = 0
driverOptions[1009] = ''
The top line is setting the PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT setting (disabling it), and the bottom line is setting the PDO::MYSQL_ATTR_SSL_CA setting. Other settings like MYSQL_ATTR_SSL_KEY are also available in a similar way, if they’re needed for your use case. What specific numbers those should be for each setting can vary from version to version (though seem to be relatively stable lately). You can run command-line commands to check what those numbers are for your PHP install, like
We see very little demand for SSL connections to the database so this isn’t something we’ve really spent time on. But with demonstrated user demand, it’d be possible for us to introduce some consistent string keys users could use in database.ini to avoid all this work (in a future version).
Can you share which options you needed to set? It’s helpful to know from actual users what’s being used. Just an an example, there are possible keys to set the client key and certificate and other things like that, but my sense is that most actual use cases don’t use those.
Configuration above gave this error:
An exception occurred in driver: SQLSTATE[HY000] [2002] Cannot connect to MySQL using SSL
I’m not a security expert, but as I understand it, the connection now uses encryption, though the server’s origin is not verified. This might not be the best security practice, but it’s acceptable in our environment because the firewall restricts MySQL connections to only our database server.
My understanding would be that simply the “CA” setting pointing to the right CA cert should be enough to be checking the server’s certificate, though the issue I think is that the server certificate needs to have a “common name” that matches the server’s hostname, or the client will refuse to connect. The automatic self-signed certificates that are often used for servers won’t work this way; they don’t have the correct common name specified.
The workaround here is turning off that name verification with the SSL_VERIFY_SERVER_CERT setting, but as far as I can tell, that currently just turns off peer verification completely (I would expect that setting the CA option to the real certificate would work just as well as the empty string, but it wouldn’t actually be checking anything).
Anyway: that certainly clarifies that we’d need to provide that “verify” option if we were providing any method of easier access to these SSL options.