PHP mysqlnd sha256_password plugin "Access denied", user works from cli mysql

1.3k views Asked by At

I'm trying to secure a mysql connection with SSL and password encryption by sha256. My setup works as expected from the cli mysql and when using native mysql password. When trying to connect as a user with sha256 pasword i get "HY000/1045): Access denied for user 'sha256user'@'192.168.120.45' (using password: YES)", but I can connect the same user by cli mysql. I have the same problem both on locally and when trying from a remote host.

[root@vt0-0-7 bin]# /ct/nih/mysql-5.6/bin/mysql -u sha256user -p -h 192.168.120.30
Enter password: 

...

mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.02 sec)

mysql> 

My php setup:

[root@vt0-0-7 bin]# php --version
PHP 5.6.9 (cli) (built: Jun  3 2015 13:06:06) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
[root@vt0-0-7 bin]# 
[root@vto-0-5 bin]# php -i | grep -n mysqlnd
6:Configure Command =>  './configure'  '--prefix=/ct/nih/php-5.6.9/' '--with-mysql=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-xsl' '--with-libxml-dir' '--with-mysqli=mysqlnd' '--with-openssl' '--with-zlib' '--enable-ftp' '--with-apxs2=/ct/nih/httpd-2.2.29/bin/apxs' '--enable-sockets' '--with-curl' '--with-mcrypt' '--with-readline' '--with-pcre-regex=/ct/nih/pcre-8.20' '--enable-soap' '--without-sqlite3' '--without-pdo-sqlite' '--enable-mbstring'
280:Client API version => mysqlnd 5.0.11-dev - 20120503 - $Id:3c688b6bbc30d36af3ac34fdd4b7b5b787fe5555 $
298:Client API library version => mysqlnd 5.0.11-dev - 20120503 - $Id: 3c688b6bbc30d36af3ac34fdd4b7b5b787fe5555 $
316:mysqlnd
318:mysqlnd => enabled
319:Version => mysqlnd 5.0.11-dev - 20120503 - $Id: 3c688b6bbc30d36af3ac34fdd4b7b5b787fe5555 $
329:Loaded plugins => mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_sha256_password
332:mysqlnd statistics =>  
521:Client API version => mysqlnd 5.0.11-dev - 20120503 - $Id: 3c688b6bbc30d36af3ac34fdd4b7b5b787fe5555 $
[root@vto-0-5 bin]# 

When I use a user with "native password" PHP uses an SSL connection.

PHP connection code:

$this->dbh = mysqli_init();
$res = $this->dbh->ssl_set(DB_CLIENT_KEY, DB_CLIENT_CERT, DB_CA_CERT, NULL, NULL);
$user="sha256user";
$pass="Sh@256Pa33";
$connRes = $this->dbh->real_connect($dbHost, $user , $pass, $dbName, 3306, NULL, MYSQLI_CLIENT_SSL);

Edit: MySQL is compiled locally with:

$> cmake . -DWITH_SSL=system

$> mysql --version
mysql  Ver 14.14 Distrib 5.6.25, for Linux (x86_64) using  EditLine wrapper
$> 

Does anyone have any idea where to look for the problem?

1

There are 1 answers

2
Samuel Åslund On BEST ANSWER

This is an official MySQL bug since July 2015: http://bugs.mysql.com/bug.php?id=77595