We do not have a usable CN because, depending on user config, there might not be an IP address at all and the IP address can change. Additionally because we provide a CA that is distributed by the user and is the sole trusted CA of clients verifying CN isn't actually needed for security: a man in the middle attack is not possible because an attacker cannot generate a certificate that would be trusted.
We do see the fact that users such as yourself have difficulties as a problem and we have an internal issue open to address this. Unfortunately poor configurability of client libraries like PDO make this difficult.
David
On Fri, Feb 19, 2016 at 12:57 AM, 小川純平 <ogawa@growaspeople.org> wrote:
Hi Matsuo san--
Unfortunately I decided to use Amazon RDS this time.
> Unfortunately you're correct as long as you want to use the SSL connection and somewhat newer versions of PHP
I found SSL verification is introduced on 5.6,
http://php.net/manual/en/migration56.openssl.php#migration56.openssl.peer-verification
I considered to use 5.5 or older, but 5.5 EOL is next July.
CentOS 6 provides PHP 5.3.3, but CakePHP requires 5.3.7+ for SSL connection to MySQL.
RedHat / CentOS 7 provides PHP 5.4 and it looks the best solution to use Google Cloud SQL, but because my task is heavily delaying, it is difficult to choose to rewrite my Ansible configs.
I wonder if it is possible to include Cloud SQL instance IP as CN in the certificate. It looks better rather than adding function to make it less secure to PDO.
Sorry if I misunderstand David's explanation.
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/16b92ac7-450b-4083-ae5f-49bfe4fb8fe0%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAJZK_bbM0twhT4EwOMq-6F2MZZvXk1X_2g%2BcR_N4S7sB3r35qw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment