As you noticed Cloud SQL does not make the common name match the IP address of the instance. Instead of relying on public CAs and verifying certificate chain, with Cloud SQL a one-off ca certificate is distributed to the client. This is more secure as it avoids trusting the hundreds of trusted CAs.
To make this work requires the client to be configured to use the provided CA certificate and disable peer name verification. With PDO you can do the former with MYSQL_ATTR_SSL_CA. PDO doesn't offer an option to do the latter.
If you are able to switch to the mysqli interface then you can use the MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT flag to mysqli_real_connect to disable peer name verification.
On Thu, Feb 18, 2016 at 3:26 AM, 小川純平 <ogawa@growaspeople.org> wrote:
Sorry, I forgot to write some info.--
1. I'm using Google Cloud SQL 1st generation
2. I'm using PHP 5.6 from Remi repo.
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/0ae3d9f7-5c3a-4dde-800a-1f25ba9502b1%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAJZK_baBbJMcKcGDxi%2BfEfqFw2-t1Ab%2BfkR%3Dma4r9NOoN4t6dQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment