Errors when encrypting database

9 posts by 3 authors in: Forums > CMS Builder
Last Post: August 23, 2019   (RSS)

By gkornbluth - August 10, 2019

Hi All,

I tried encrypting fields in a database for the first time and had some interesting (but frustrating) results.

After encryption on a site (with an SSL certificate), I received the following error:

Warning: mysqli::real_connect(): this stream does not support SSL/crypto in /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/database_functions.php on line 58 Warning: mysqli::real_connect(): Cannot connect to MySQL by using SSL in /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/database_functions.php on line 58 Warning: mysqli::real_connect(): [2002] (trying to connect via (null)) in /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/database_functions.php on line 58 Warning: Cannot modify header information - headers already sent by (output started at /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/database_functions.php:58) in /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/menus/dbConnectionError.php on line 4 Warning: Cannot modify header information - headers already sent by (output started at /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/database_functions.php:58) in /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/menus/dbConnectionError.php on line 5 Warning: Cannot modify header information - headers already sent by (output started at /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/database_functions.php:58) in /home4/zcfzmsmy/public_html/test/cmsAdmin/lib/menus/dbConnectionError.php on line 6

After removing 'requireSSL' => '1', in settings.dat.php I was able to access the site and database again, and I was able to encrypt fields in the database.

The need to remove that line doesn’t seem right, but I’m sure that there’s a logical explanation.

____________________________________

A bigger concern is that the value of 'columnEncryptionKey' => 'myencryptionkey', is visible in plain text in the settings.dat.php file, along with my database name and database password.

Based on this, I’m feeling that there’s bit of false security going on here, since even a novice hacker has all the information that they need to hack sensitive data in a database backup, in one neat package.

I’m using Bluehost, and I’ve got to believe that their security is pretty high. So if my site is hacked, it will have been done by an experienced hacker.

Are there any plans in the works to store these values in an encrypted format? (I think user's passwords are already stored that way)

Thanks,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - August 11, 2019

Hi Larry,

Thanks for the explanation.

From what you said, I now understand the limitations of the encrypting fields in a database feature available in CMSB a bit better.

It's unfortunate that there isn't a way to encrypt the columnEncryptionKey, or at least bury it in a more obscure place then the settings.dat.php file.

I'm still not sure why I got the errors related to 'requireSSL' => '1', on a site that has SSL enabled.

Best,

Jerry

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By daniel - August 14, 2019

Hey Jerry,

I can echo Larry's info above. When it comes to security there are often tradeoffs when it comes to how secure a measure is vs. its complexity and cost. We try to strike a good balance that allows CMSB to stay easy to use, though we're always looking for ways to continue improving these sorts of things.

As for why "requireSSL" was causing errors - this setting is specifically for encrypting MySQL connections and corresponds to the "Connections" checkbox under Database Encryption in Security Settings. This is different from the "requireHTTPS" setting which refers to encrypting HTTP connections. The MySQL server requires its own separate configuration in order to support SSL connections, and lacking this support will cause errors when an encrypted connection is attempted. We try to detect whether or not the MySQL server supports SSL before allowing this setting to be turned on, but there may be some edge cases where this detection isn't perfect.

Can you confirm if the "Database Encryption > Connections" checkbox is enabled in your CMSB settings? If so I'd be interested in figuring out what's causing the discrepancy.

Thanks!

Daniel
PHP Programmer
interactivetools.com

By gkornbluth - August 15, 2019 - edited: August 15, 2019

Hi Daniel,

Thanks for looking at this.

The "Database Encryption > Connections" checkbox was not checked the first time the error occurred.

When I check it, the database access error occurs again.

The only way that I can then  "uncheck" the box is to comment out the'requireSSL' => '1',  line in the settings file and re-upload it. Then go into admin>general, uncheck the box and save.

I've had to go back and comment out the line a second time on some of the tests.

Hope that helps,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By daniel - August 15, 2019

Hi Jerry,

Thanks for this feedback!

The curious thing here is that if your MySQL server doesn't support the encrypted connection, the checkbox should be disabled entirely. Would you be willing to let us access the site to investigate the issue more closely? If so, you can send the CMS/FTP details through a support request here: https://www.interactivetools.com/support/request/ 

Thanks again,

Daniel
PHP Programmer
interactivetools.com

By gkornbluth - August 15, 2019

Sure

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By daniel - August 23, 2019

Hey Jerry,

Thanks for sending the info! I was able to figure out the issue. The short version is that on some systems, it's not possible to establish an encrypted MySQL connection using the "localhost" hostname. A proper domain name or IP address needs to be used instead. So while your server supports the connection (enabling the checkbox), it was causing an error due to your config using "localhost". We'll add an update for the next version of CMSB that disables the option in this case and provides some clarification in the text.

Also, it's worth noting that DB connection encryption provides no security benefit when the database is using localhost (the data is never transmitted over a network so there's no danger of it being intercepted), so there's no real need to "work around" this issue. 

Let me know if you have any other questions!

Thanks,

Daniel
PHP Programmer
interactivetools.com

By gkornbluth - August 23, 2019

Hey Daniel,

Thanks for the effort and for your clear explanation.

Best,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php