Enable MySQL/MariaDB SSL for PDO/Laravel

Server side setup

Refer to this manual from MariaDB

require_secure_transport = ON could be added to the my.cnf file to enforece SSL for all connections (including those from localhost & unix socket)

One way SSL

Without CA verification


$pdo = new PDO('mysql:host=db.example.com;dbname=image', 'laravel', 'laravel',array(
    PDO::MYSQL_ATTR_SSL_CA     => true,

Laravel (config/database.php)

// under mysql => options
'options' => extension_loaded('pdo_mysql') ? [
        PDO::MYSQL_ATTR_SSL_CA     => true,
 ] : []

PLEASE NOTE: array_filter in this original config file is REMOVED. Because entries with empty() value will be filtered, so that MYSQL_ATTR_SSL_VERIFY_SERVER_CERT will be removed.

MYSQL_ATTR_SSL_CA is set just to enable SSL (like mysql -h …. -u … -p –ssl)

With CA verification

PLEASE BE AWARE, the cert in this mode is domain validated. The MySQL server should use a cert with matched common name, 'db.example.com' for example. the use of domain name for the host is preferred.

Same to without verification, but set MYSQL_ATTR_SSL_VERIFY_SERVER_CERT to true. (Or just remove the attribute, since it's true by default)

Two way (mutual) SSL

PDO::MYSQL_ATTR_SSL_CA => "/path/to/ca-cert.pem",
PDO::MYSQL_ATTR_SSL_CERT => "/path/to/client-cert.pem",
PDO::MYSQL_ATTR_SSL_KEY => "/path/to/client-key.pem",

MYSQL_ATTR_SSL_VERIFY_SERVER_CERT could be true or false, it depends.

Common Errors

PHP 'illegal hardware instruction' on MacOS

I'm using MacOS 10.15 using PHP 7.4.11 from homebrew.
This error basically happens when PDO SSL setup/verification failed.
For example:

PDO::__construct(): SSL operation failed with code 1. OpenSSL Error messages

Or maybe

PDO::__construct(): Peer certificate CN=Common name' did not match expected CN= domain'

I believe it's a platform specific issue.

PDO attribute not received by Laravel

Mentioned already.
array_filter will filter out all attributes with value of null/false/0/"" …
Remove it when you have to use those values.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.