php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78029 ldap_set_option doesn't always set TLS options.
Submitted: 2019-05-17 16:43 UTC Modified: 2022-02-11 12:44 UTC
Votes:6
Avg. Score:4.5 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:4 (66.7%)
From: will dot skates at ntlworld dot com Assigned:
Status: Open Package: LDAP related
PHP Version: 7.2.18 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: will dot skates at ntlworld dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2019-05-17 16:43 UTC] will dot skates at ntlworld dot com 
Description:
------------
"ldap_set_option" doesn't behave predictably when you set TLS options. The tests for the extension (*1) _seem_ to suggest that it should just because they pass the resource as the first option.

The TLS context is established the first time an ldap connection is bound (2 & 3). I think that means that if I want to change my TLS settings I have to restart php-fpm and hope I'm the first one to ldap_bind on the box.

[1]: https://github.com/php/php-src/blob/master/ext/ldap/tests/ldap_set_option_cafiles_basic.phpt
[2]: https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa4504d8/libraries/libldap/open.c#L193
[3]: https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa4504d8/libraries/libldap/tls2.c#L368

I'm running the two scripts using "php -S" and navigating to test1.php and test2.php respectively.

I'm not sure what the ideal solution is. OpenLDAP does provide the LDAP_OPT_X_TLS_NEWCTX and LDAP_OPT_X_TLS_CTX options to help deal with this but they both seem to alter the global scope around the function. The problem is just that I can't rely on "ldap_set_option" to actually do what I tell it to. It might be better to create a new TLS context for every connection as it gets bound so that OpenLDAP doesn't override it with the global state.

This is true if I bind using ldaps:// or StartTLS.

For testing I have slapd (2.4.47) running in a container and have generated my own CA, Client and Server certificates.

My LDAP extension info:
ldap

LDAP Support => enabled
RCS Version => $Id: 3839f871a91c293a52322c63329c68db23a0290a $
Total Links => 0/unlimited
API Version => 3001
Vendor Name => OpenLDAP
Vendor Version => 20446
SASL Support => Enabled

Directive => Local Value => Master Value
ldap.max_links => Unlimited => Unlimited



Test script:
---------------
https://pastebin.com/n1HUjCwD

Expected result:
----------------
NULL
NULL


Actual result:
--------------
NULL
string(131) "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-26 13:26 UTC] cmb@php.net 
Related To: Bug #73558
 [2022-02-11 12:44 UTC] requinix@php.net
-Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 10:00:01 2025 UTC