TLS 1.2 with php/mysqli
What configuration is required for the PHP/mysqli connector to create a SSL connection with the TLSv1.2 protocol to a MySQL server?
For example, in the following PHP script, we create a connection to a MySQL database. Our MySQL database is setup with SSL=On and generates its own certificates. Additionally, MySQL users are created/altered with "REQUIRE SSL". The PHP script always connects to MySQL with the TLSv1 protocol no matter which CIPHER is selected in the php scripts's ssl_set method. If we set tls_version=v1.2 or tls_version=v1.1,v1.2 in our MySQL’s my.cnf file, then our PHP script will not connect at all. Any help is appreciated.
<?php
echo 'hello';
$mysqli = new mysqli();
$mysqli->init();
# replace TRY-ANY-CIPER with the CIPHER of your choice, or NULL
$mysqli->ssl_set('/etc/ssl/mysql/client-key.pem', '/etc/ssl/mysql/client-cert.pem', '/etc/ssl/mysql/ca-cert.pem', NULL, TRY-ANY-CIPHER);
$mysqli->real_connect('hostname.abc', 'ssluser', 'password', 'db', 3306, null, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT);
sleep(10);
echo 'goodbye';
?>
While the PHP script above is running, verify the SSL protocol of the connection in MySQL with the following query:
SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher,
processlist_user AS user, processlist_host AS host
FROM performance_schema.status_by_thread AS sbt
JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;