SSL/TLS MySQL Configuration

[jjthiessen]

I believe that https://github.com/phpList/phplist3/commit/a3bc7189b8b3d048af3a5c685bcc53358af42046 introduced a regression for MySQL configurations where SSL/TLS is enforced. It is also possible that this behaviour has changed between PHP versions, or is/was different between the use of libmysql and mysqlnd. The PHP Manual seems to suggest that the change was valid and should work; however, this does not seem to be the case in my tests.

$ php -v
PHP 7.4.24 (cli) (built: Sep 21 2021 11:23:23) ( ZTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.24, Copyright (c), by Zend Technologies

$ php -m | grep -i mysql
mysqli
mysqlnd
pdo_mysql

$ cat test.php 
<?php

$db = mysqli_init();

foreach ([
    'MYSQLI_CLIENT_SSL'                                             => MYSQLI_CLIENT_SSL,
    'MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'                     => MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT,
    'MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT' => MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT,
] as $option => $flags) {
    printf('%s: ', $option);

    if (!mysqli_real_connect(
        $db,
        getenv('DB_SERVER'),
        getenv('DB_USER'),
        getenv('DB_PASS'),
        'mysql',
        3306,
        null,
        $flags
    )) {
        var_dump(mysqli_connect_errno());
    } else {
        echo "Success!\n";
    }
}

$ php test.php 
MYSQLI_CLIENT_SSL: Success!
MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT: 
Warning: mysqli_real_connect(): (HY000/3159): Connections using insecure transport are prohibited while --require_secure_transport=ON. in /REDACTED/test.php on line 20
int(3159)
MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT: Success!

[jjthiessen]

That is, I believe that MYSQLI_CLIENT_SSL is required for the client to advertise SSL capabilities (independently of whether certificates should or shouldn't be verified).