PHP to MySQL SSL Connections
Here PHP (and mysqli_real_connect) is the client not the server. You're configuring it with mysqli_ssl_set for client-certificate authentication (and using the server key and certificate).
I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:
ssl-key=/mysql-ssl-certs/server-key.pem
ssl-cert=/mysql-ssl-certs/server-cert.pem
ssl-ca=/mysql-ssl-certs/ca-cert.pem
These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).
Once you've done this, you can try to see if the server is configured properly using the command line client:
mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)
mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
This should work at least on the command line.
Then, from PHP, you get two options:
- use
mysqli_ssl_setlike you've done, but leaving$keyand$certnull, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.) -
possibly easier, omit
mysqli_ssl_setaltogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly/etc/mysql/my.cnf, but this may vary depending on your distribution):[client] ssl-ca=/mysql-ssl-certs/ca-cert.pem
(This is similar to the server config, but on the client side/in the client section.)
For the authorization part (GRANT):
-
REQUIRE SSLonly requires the use of SSL/TLS -
REQUIRE ISSUER,REQUIRE SUBJECTandREQUIRE X509require the client to present a client-certificate to compare to the required values (that's the case where you'd need to usessl-keyandssl-certon the client side (config or withinmysqli_ssl_set).