Fix GH-8978: MySQLi: SSL certificate verification fails (port doubled)

If there are 2 ports, only the first is used. However, then the certificate checking fails. So we drop the second port if there is one. Closes GH-20021.
2026-03-24 00:02:20 +01:00 · 2025-09-30 21:17:34 +02:00
parent 56af25cc1c
commit 472f2fe0a3
2 changed files with 12 additions and 1 deletions
--- a/4
+++ b/4
@@ -26,6 +26,10 @@ PHP                                                                        NEWS
 - LibXML:
  . Fix not thread safe schema/relaxng calls. (SpencerMalone, nielsdos)

+- MySQLnd:
+  . Fixed bug GH-8978 (SSL certificate verification fails (port doubled)).
+    (nielsdos)
+
 - Opcache:
  . Fixed bug GH-20081 (access to uninitialized vars in preload_load()).
    (Arnaud)
--- a/ext/mysqlnd/mysqlnd_connection.c
+++ b/ext/mysqlnd/mysqlnd_connection.c
@@ -557,7 +557,14 @@ MYSQLND_METHOD(mysqlnd_conn_data, get_scheme)(MYSQLND_CONN_DATA * conn, MYSQLND_
 		if (hostname.s[0] != '[' && mysqlnd_fast_is_ipv6_address(hostname.s)) {
 			transport.l = mnd_sprintf(&transport.s, 0, "tcp://[%s]:%u", hostname.s, port);
 		} else {
-			transport.l = mnd_sprintf(&transport.s, 0, "tcp://%s:%u", hostname.s, port);
+			/* Not ipv6, but could already contain a port number, in which case we should not add an extra port.
+			 * See GH-8978. In a port doubling scenario, the first port would be used so we do the same to keep BC. */
+			if (strchr(hostname.s, ':')) {
+				/* TODO: Ideally we should be able to get rid of this workaround in the future. */
+				transport.l = mnd_sprintf(&transport.s, 0, "tcp://%s", hostname.s);
+			} else {
+				transport.l = mnd_sprintf(&transport.s, 0, "tcp://%s:%u", hostname.s, port);
+			}
 		}
 	}
 	DBG_INF_FMT("transport=%s", transport.s? transport.s:"OOM");