1 commit 8292260515a904b4d515484145c78f33a06ae1ae
2 Author: Andrey Hristov <andrey@php.net>
3 Date: Wed Oct 21 15:10:24 2015 +0200
5 Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
7 diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
8 index 78540f1..349d6db 100644
9 --- a/ext/mysqli/tests/bug51647.phpt
10 +++ b/ext/mysqli/tests/bug51647.phpt
11 @@ -65,9 +65,43 @@ $link->close();
13 if (!$row = $res->fetch_assoc())
14 printf("[006] [%d] %s\n", $link->errno, $link->error);
15 + if (!strlen($row["Value"]))
16 + printf("[007] Empty cipher. No encrytion!");
22 + if (!is_object($link = mysqli_init()))
23 + printf("[008] Cannot create link\n");
25 + if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
26 + printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
29 + if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
30 + if (1064 == $link->errno) {
31 + /* ERROR 1064 (42000): You have an error in your SQL syntax; = sql strict mode */
32 + if ($res = $link->query("SHOW STATUS")) {
33 + while ($row = $res->fetch_assoc())
34 + if ($row['Variable_name'] == 'Ssl_cipher')
37 + printf("[010] [%d] %s\n", $link->errno, $link->error);
40 + printf("[011] [%d] %s\n", $link->errno, $link->error);
43 + if (!$row = $res->fetch_assoc())
44 + printf("[012] [%d] %s\n", $link->errno, $link->error);
45 + if (!strlen($row["Value"]))
46 + printf("[013] Empty cipher. No encrytion!");
55 @@ -78,4 +112,10 @@ array(2) {
61 + string(10) "Ssl_cipher"
66 diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
67 index 69f4b7a..4cbe9de 100644
68 --- a/ext/mysqlnd/mysqlnd_net.c
69 +++ b/ext/mysqlnd/mysqlnd_net.c
70 @@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
71 zval verify_peer_zval;
72 ZVAL_TRUE(&verify_peer_zval);
73 php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
74 + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
76 + zval verify_peer_zval;
77 + ZVAL_FALSE(&verify_peer_zval);
78 + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
79 + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
81 if (net->data->options.ssl_cert) {
83 @@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
84 if (net->data->options.ssl_capath) {
86 ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
87 - php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
88 + php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
90 if (net->data->options.ssl_passphrase) {
92 commit afd31489d0d9999f701467e99ef2b40794eed196
93 Author: Andrey Hristov <andrey@php.net>
94 Date: Thu Oct 22 11:48:53 2015 +0200
96 Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
98 diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
99 index e028d60..198ed83 100644
100 --- a/ext/mysqli/mysqli.c
101 +++ b/ext/mysqli/mysqli.c
102 @@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
103 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT);
104 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT);
105 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
106 +#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
107 + REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
109 #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
110 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
111 REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
112 diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
113 index dd0f769..1cb31cc 100644
114 --- a/ext/mysqli/tests/mysqli_constants.phpt
115 +++ b/ext/mysqli/tests/mysqli_constants.phpt
116 @@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
117 $expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
120 + if ($version >= 50033 || $IS_MYSQLND) {
121 + $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
124 /* First introduced in MySQL 6.0, backported to MySQL 5.5 */
125 if ($version >= 50606 || $IS_MYSQLND) {
126 diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
127 index 4cbe9de..7b164ac 100644
128 --- a/ext/mysqlnd/mysqlnd_net.c
129 +++ b/ext/mysqlnd/mysqlnd_net.c
130 @@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
131 ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
132 php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
134 - if (net->data->options.ssl_verify_peer) {
135 - zval verify_peer_zval;
136 - ZVAL_TRUE(&verify_peer_zval);
137 - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
138 - php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
141 zval verify_peer_zval;
142 - ZVAL_FALSE(&verify_peer_zval);
143 + ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
144 php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
145 php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
147 commit 6d51b7b2e3468601acdaaf9041c9131b5aa47f98
148 Author: Andrey Hristov <andrey@php.net>
149 Date: Tue Oct 27 12:59:09 2015 +0100
151 Another Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
152 Added the possibility to explicitly state that the peer certificate should not be checked.
153 Back to the default - checking the certificate.
154 Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
155 Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)
157 If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
158 then no verification takes place.
160 diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
161 index 198ed83..5e40d19 100644
162 --- a/ext/mysqli/mysqli.c
163 +++ b/ext/mysqli/mysqli.c
164 @@ -717,6 +717,9 @@ PHP_MINIT_FUNCTION(mysqli)
165 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
166 #ifdef CLIENT_SSL_VERIFY_SERVER_CERT
167 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
168 +#if defined(MYSQLI_USE_MYSQLND)
169 + REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT", CLIENT_SSL_DONT_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
172 #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
173 REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
174 diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
175 index 349d6db..7385538 100644
176 --- a/ext/mysqli/tests/bug51647.phpt
177 +++ b/ext/mysqli/tests/bug51647.phpt
178 @@ -41,11 +41,7 @@ $link->close();
179 if (!is_object($link = mysqli_init()))
180 printf("[001] Cannot create link\n");
182 - $path_to_pems = !$IS_MYSQLND? "ext/mysqli/tests/" : "";
183 - if (!$link->ssl_set("{$path_to_pems}client-key.pem", "{$path_to_pems}client-cert.pem", "{$path_to_pems}cacert.pem","",""))
184 - printf("[002] [%d] %s\n", $link->errno, $link->error);
186 - if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket)) {
187 + if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)) {
188 printf("[003] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
191 @@ -67,9 +63,9 @@ $link->close();
192 printf("[006] [%d] %s\n", $link->errno, $link->error);
193 if (!strlen($row["Value"]))
194 printf("[007] Empty cipher. No encrytion!");
201 if (!is_object($link = mysqli_init()))
202 @@ -97,10 +93,9 @@ $link->close();
203 printf("[012] [%d] %s\n", $link->errno, $link->error);
204 if (!strlen($row["Value"]))
205 printf("[013] Empty cipher. No encrytion!");
214 diff --git a/ext/mysqli/tests/bug55283.phpt b/ext/mysqli/tests/bug55283.phpt
215 index d03daae..a10c604 100644
216 --- a/ext/mysqli/tests/bug55283.phpt
217 +++ b/ext/mysqli/tests/bug55283.phpt
218 @@ -40,7 +40,7 @@ $link->close();
222 - $flags = MYSQLI_CLIENT_SSL;
223 + $flags = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
225 $link = mysqli_init();
226 mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
227 diff --git a/ext/mysqli/tests/connect.inc b/ext/mysqli/tests/connect.inc
228 index 67ce60a..606d1d3 100644
229 --- a/ext/mysqli/tests/connect.inc
230 +++ b/ext/mysqli/tests/connect.inc
232 $driver = new mysqli_driver;
234 $host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "127.0.0.1";
235 - $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3308;
236 + $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306;
237 $user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root";
238 $passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : "";
239 $db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test";
241 function my_mysqli_connect($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
242 global $connect_flags;
244 - $flags = ($enable_env_flags) ? $connect_flags : false;
246 - if ($flags !== false) {
247 + $flags = $enable_env_flags? $connect_flags:0;
248 + if ($flags !== 0) {
249 $link = mysqli_init();
250 if (!mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags))
253 global $connect_flags;
255 if ($enable_env_flags)
256 - $flags & $connect_flags;
257 + $flags = $flags | $connect_flags;
259 return mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags);
262 public function __construct($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
263 global $connect_flags;
265 - $flags = ($enable_env_flags) ? $connect_flags : false;
266 + $flags = ($enable_env_flags) ? $connect_flags : 0;
268 if ($flags !== false) {
270 diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
271 index 1cb31cc..cc5fa9f 100644
272 --- a/ext/mysqli/tests/mysqli_constants.phpt
273 +++ b/ext/mysqli/tests/mysqli_constants.phpt
274 @@ -139,6 +139,9 @@ require_once('skipifconnectfailure.inc');
275 if ($version >= 50033 || $IS_MYSQLND) {
276 $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
279 + $expected_constants['MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'] = true;
282 /* First introduced in MySQL 6.0, backported to MySQL 5.5 */
283 if ($version >= 50606 || $IS_MYSQLND) {
284 diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c
285 index f008986..94a3149 100644
286 --- a/ext/mysqlnd/mysqlnd.c
287 +++ b/ext/mysqlnd/mysqlnd.c
288 @@ -472,6 +472,7 @@ mysqlnd_switch_to_ssl_if_needed(
289 DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA= %d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0);
290 DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS= %d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0);
291 DBG_INF_FMT("CLIENT_SESSION_TRACK= %d", mysql_flags & CLIENT_SESSION_TRACK? 1:0);
292 + DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0);
293 DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0);
294 DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS= %d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0);
296 @@ -495,7 +496,11 @@ mysqlnd_switch_to_ssl_if_needed(
297 if (server_has_ssl == FALSE) {
300 - zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE;
301 + enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT?
302 + MYSQLND_SSL_PEER_VERIFY:
303 + (mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT?
304 + MYSQLND_SSL_PEER_DONT_VERIFY:
305 + MYSQLND_SSL_PEER_DEFAULT);
306 DBG_INF("Switching to SSL");
307 if (!PACKET_WRITE(auth_packet, conn)) {
309 diff --git a/ext/mysqlnd/mysqlnd_enum_n_def.h b/ext/mysqlnd/mysqlnd_enum_n_def.h
310 index c1ede7e..9e29da2 100644
311 --- a/ext/mysqlnd/mysqlnd_enum_n_def.h
312 +++ b/ext/mysqlnd/mysqlnd_enum_n_def.h
314 #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */
315 #define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22) /* Don't close the connection for a connection with expired password. */
316 #define CLIENT_SESSION_TRACK (1UL << 23) /* Extended OK */
318 + This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification
320 +#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT CLIENT_ODBC
321 #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
322 #define CLIENT_REMEMBER_OPTIONS (1UL << 31)
324 diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
325 index 7b164ac..3e8d099 100644
326 --- a/ext/mysqlnd/mysqlnd_net.c
327 +++ b/ext/mysqlnd/mysqlnd_net.c
328 @@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys
331 case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
332 - net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE;
334 + enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value);
336 + case MYSQLND_SSL_PEER_VERIFY:
337 + DBG_INF("MYSQLND_SSL_PEER_VERIFY");
339 + case MYSQLND_SSL_PEER_DONT_VERIFY:
340 + DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY");
342 + case MYSQLND_SSL_PEER_DEFAULT:
343 + DBG_INF("MYSQLND_SSL_PEER_DEFAULT");
344 + val = MYSQLND_SSL_PEER_DEFAULT;
347 + DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION");
348 + val = MYSQLND_SSL_PEER_DEFAULT;
351 + net->data->options.ssl_verify_peer = val;
354 case MYSQL_OPT_READ_TIMEOUT:
355 net->data->options.timeout_read = *(unsigned int*) value;
357 @@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
358 #ifdef MYSQLND_SSL_SUPPORTED
359 php_stream_context * context = php_stream_context_alloc(TSRMLS_C);
360 php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC);
361 + zend_bool any_flag = FALSE;
363 DBG_ENTER("mysqlnd_net::enable_ssl");
365 @@ -896,12 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
367 ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
368 php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
371 - zval verify_peer_zval;
372 - ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
373 - php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
374 - php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
377 if (net->data->options.ssl_cert) {
379 @@ -910,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
380 if (!net->data->options.ssl_key) {
381 php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval);
385 if (net->data->options.ssl_ca) {
387 ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0);
388 php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval);
391 if (net->data->options.ssl_capath) {
393 ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
394 php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
397 if (net->data->options.ssl_passphrase) {
398 zval passphrase_zval;
399 ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0);
400 php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval);
403 if (net->data->options.ssl_cipher) {
405 ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0);
406 php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval);
410 + zval verify_peer_zval;
413 + if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) {
414 + net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY;
417 + verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE;
419 + DBG_INF_FMT("VERIFY=%d", verify);
420 + ZVAL_BOOL(&verify_peer_zval, verify);
421 + php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
422 + php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
425 php_stream_context_set(net_stream, context);
426 if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 ||
427 php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0)
428 diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h
429 index 170c977..f5d0b47 100644
430 --- a/ext/mysqlnd/mysqlnd_structs.h
431 +++ b/ext/mysqlnd/mysqlnd_structs.h
432 @@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options
435 char *ssl_passphrase;
436 - zend_bool ssl_verify_peer;
437 + enum mysqlnd_ssl_peer {
438 + MYSQLND_SSL_PEER_DEFAULT = 0,
439 + MYSQLND_SSL_PEER_VERIFY = 1,
440 + MYSQLND_SSL_PEER_DONT_VERIFY = 2,
442 +#define MYSQLND_SSL_PEER_DEFAULT_ACTION MYSQLND_SSL_PEER_VERIFY
446 char * sha256_server_public_key;
447 @@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options
448 } MYSQLND_NET_OPTIONS;
452 typedef struct st_mysqlnd_connection MYSQLND;
453 typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA;
454 typedef struct st_mysqlnd_net MYSQLND_NET;