php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74688 SSL stream errors are not exposed by error_get_last()
Submitted: 2017-06-01 11:54 UTC Modified: 2021-01-14 12:52 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: bilge at scriptfusion dot com Assigned:
Status: Verified Package: HTTP related
PHP Version: 5.6.30 OS: Linux 2.6.32-642.6.2.el6.x86_64
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
42 - 33 = ?
Subscribe to this entry?

 
 [2017-06-01 11:54 UTC] bilge at scriptfusion dot com 
Description:
------------
Using file_get_contents() in an object oriented application can be perilous since it emits errors and warnings directly. We would prefer to silence the call, check the return value and if it's false retrieve the error message. e.g. if (false === @file_get_contents(...)) { $error = error_get_last(); }.

This strategy works well for HTTP calls but when one throws SSL into the mix the errors returned by error_get_last() are different from the ones emitted directly by file_get_contents(). More specifically, the errors become vague and unhelpful. The real details of the failure can only be seen by removing the silence operator (@) and thus this is the crux of the bug: it is not possible to see SSL errors in an object oriented environment.

N.B. Calling openssl_error_string() just returns false.

---
For example, the test script below outputs a general failure message such as:

"file_get_contents(https://[::1]:6666): failed to open stream: Connection refused"

However, since we are using a self-signed certificate, removing the silence operator yields a much more useful error message from OpenSSL:

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problem is PHP provides no way to capture this output from OpenSSL.

Test script:
---------------
if (false === $response = @file_get_contents(
    'https://[::1]:6666',
    false,
    stream_context_create([
        'http' => ['ignore_errors' => true],
    ])
)) {
    echo error_get_last()['message']; // file_get_contents(https://[::1]:6666): failed to open stream: Connection refused
    var_dump(openssl_error_string()); // bool(false)
    // We can't see the real error that occurred in the OpenSSL subsystem.
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-13 18:32 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-01-13 18:32 UTC] cmb@php.net 
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-01-13 21:03 UTC] bilge at scriptfusion dot com
-Status: Feedback +Status: Assigned
 [2021-01-13 21:03 UTC] bilge at scriptfusion dot com 
Probably.
 [2021-01-14 12:47 UTC] cmb@php.net
-Status: Assigned +Status: Verified -Assigned To: cmb +Assigned To:
 [2021-01-14 12:47 UTC] cmb@php.net 
Confirmed for PHP 7.4 and 8.0.

The culprit is that SSL transports report errors directly, instead
of logging them to the stream wrapper error queue.  I don't think
that can be changed in stable versions for BC reasons, though.

openssl_error_string() is irrelevant for these errors, since SSL
transport errors are not supposed to be reported by that function
anyway.
 [2021-01-14 12:52 UTC] bilge at scriptfusion dot com 
What is the resolution, then? Does it get fixed targeting 9.0, or do we add openssl_transport_error_string()? Both seem like pretty poor solutions to me.
 [2022-02-28 08:51 UTC] larrybrenda665 at gmail dot com 
Outback Steakhouse Happy Hour: In Outback’s Bloomin’ Onion and its spicy signature Bloom sauce is out. Of. This. World, tasty! Although this isn’t available at Happy Hour, it’s worth noting, as it is a source of joy for me.
https://happy-hours-menu.info/outback-steakhouse-happy-hour/
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 21:00:01 2025 UTC