PDO connection to remote DB using SSL; FastCGI errors when verifying server cert
When a client validates the server certificate, following will be checked
- signature
- certificate validity period includes the current time
- certificate is not revoked (part of CRL)
- host name matches CN or alternative name(s)
- root ca
PDO with mysqlnd uses PHP streams, which checks the CN field only, but not Subject Alternative Names field(s). According to your code you specify an IP address to connect for, but not a name.
Unfortunately PHP also doesn't offer an additionally method for checking the sha finger print of peer certificate.
See also:
RFC 5280
PHP Bug 71845