|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-04-20 10:03 UTC] mkoppanen@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Mar 29 20:01:29 2025 UTC |
Description: ------------ In ext/openssl/openssl.c : php_openssl_parse_config might push errors into OpenSSL error stack in case the keys requested by the application are not found from the openssl.cnf file. This is fine normally but it seems that if error stack contains such an error all future calls to SSL_CTX_use_certificate_chain_file fail. This is a nasty side-effect since SSL_CTX_use_certificate_chain_file is used when opening streams that authenticate with client cert. I haven't tested if the SSL_CTX_use_certificate_chain_file fails with other errors than missing config keys. Probably does. The simple fix which fixes the issue seems to be the following: Index: openssl.c =================================================================== RCS file: /repository/php-src/ext/openssl/openssl.c,v retrieving revision 1.180 diff -u -r1.180 openssl.c --- openssl.c 29 Mar 2009 23:32:17 -0000 1.180 +++ openssl.c 16 Apr 2009 16:42:35 -0000 @@ -4674,6 +4674,10 @@ char resolved_path_buff[MAXPATHLEN]; if (VCWD_REALPATH(certfile, resolved_path_buff)) { + /* SSL_CTX_use_certificate_chain_file seems to be failing if error + stack is not cleared before using cert chain file */ + ERR_clear_error(); + /* a certificate to use for authentication */ if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile); Reproduce code: --------------- <?php $url = 'https://someurl.example.com/'; $crt = '/tmp/test.pem'; $context = stream_context_create(); stream_context_set_option($context, 'ssl', 'allow_self_signed', true); stream_context_set_option($context, 'ssl', 'local_cert', $crt); /* This call causes the failure */ openssl_pkey_new(); var_dump(file_get_contents($url, 0, $context)); /* The last error shows missing conf key warning */ echo openssl_error_string(); ?> Expected result: ---------------- No errors, everything works. Actual result: -------------- SSL_CTX_use_certificate_chain_file returns failure and the call fails.