php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23220 IIS does not cleanly close SSL connections (SSL: fatal protocol error)
Submitted: 2003-04-15 01:52 UTC Modified: 2004-10-05 14:21 UTC
Votes:49
Avg. Score:4.6 ± 0.6
Reproduced:45 of 45 (100.0%)
Same Version:15 (33.3%)
Same OS:13 (28.9%)
From: storozhilov at mail dot ru Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 4CVS OS: *
Private report: No CVE-ID:
 [2003-04-15 01:52 UTC] storozhilov at mail dot ru
<?php
  $fd = fsockopen(
    'ssl://www.somehost.com',
    443,
    $errno,
    $errstr,
    30
  );
  fputs($fd, "GET / HTTP/1.0\r\n\r\n");
  while (!feof($fd)) {
    echo fgets($fd, 1024);
  );
?>
After executing of this script following message appears:
Warning: fgets() [function.fgets]: SSL: fatal protocol error in /blah/blah/blah/blah.php on line NN

PHP was configured with following arguments:
#!/bin/sh
./configure --with-apache=../apache_1.3.27rusPL30.17 --with-mod_charset --with-pgsql=/usr/local/pgsql --with-mhash --with-sybase=/usr/local --with-openssl

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-21 20:18 UTC] scottm at spamcop dot net
I've not verified this patch will work and I'll hopefully test it tomorrow.

I believe it is reaching the end of the file and nr_bytes is returning 0 and this is being caught by an if statement which should be looking for -1.

--- network.c   Thu Aug 21 21:06:43 2003
+++ network.c.patched   Thu Aug 21 21:13:09 2003
@@ -1011,13 +1011,14 @@
                do {
                        nr_bytes = SSL_read(sock->ssl_handle, buf, count);
 
-                       if (nr_bytes <= 0) {
+                       if (nr_bytes < 0) {
                                retry = handle_ssl_error(stream, nr_bytes TSRMLS_CC);
                                if (retry == 0 && !SSL_pending(sock->ssl_handle)) {
                                        stream->eof = 1;
                                }
                        } else {
-                               /* we got the data */
+                               /* we got the data */
+                               stream->eof = 1;
                                break;
                        }
                } while (retry);
 [2003-10-08 07:30 UTC] wez@php.net
Could you try the next stable snapshot (due in a few minutes)?

I comitted a fix for a different bug that might make a
difference to this one.

If it hasn't fixed it, could you post an https:// URL
that reproduces the problem, so that I can investigate
further?

 [2003-10-26 14:41 UTC] wez@php.net
Re-opening at user request.

Users comments that have mysteriously vanished are:
===================================================

See the code below to verify , I'm not able to alter php versions since
it's hosted with my ISP so please test it with the latest version so it
can be closed as being fixed or further investigation needed. 

<?php

$method = "ssl://";
$host = "memberservices.passport.net";
$port = 443;
$url = "/";

$file = fsockopen($method.$host,$port,$errno,$errstr,30);
if(!$file) {
print ("error");
exit;
}
fputs($file,"GET ".$url." HTTP/1.1\r\n");
fputs($file,"Host: ".$host."\r\n");
fputs($file,"Connection: Keep-Alive\r\n");
fputs($file,"Cache-Control: no-cache\r\n\r\n");
while(!feof($file)) {
$output = fgets ($file, 1024);
}
fclose($file);

?>

output:

PHP Warning:  fgets(): SSL: fatal protocol error in
/path.to/test_ssl.php on line 18

Please put the bug to 'open'.

 [2003-11-28 11:42 UTC] ddwyer at starband dot net
Similar bug in PHP Win32 5.0B2
 [2003-11-28 17:12 UTC] wez@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

I've just comitted a fix for feof() that might solve this problem too.

Please try the next snapshot (dated after this notification) and let us know.
 [2003-12-12 20:54 UTC] tim at timcrider dot com
I am having the same problem on Red Hat 9.0 with PHP 5.0 B2. It's coming from Net/Socket.php
 [2003-12-23 14:01 UTC] pta at interkan dot net
I've been experiencing the same problem with PHP 4.3.4 running on a Linux Slackware/Apache server.  The problem did initially crop up inside the PEAR Socket class which I'm trying to use to connect to Authorize.Net's gateway.  Here's the exact message returned (with path changes):

Warning: fread(): SSL: fatal protocol error in /path/to/Net/Socket.php on line 243
 [2004-01-08 06:14 UTC] a at anseljh dot com
Red Hat 9
PHP 4.3.4, Apache 2.0.48, OpenSSL 0.9.7c (built from source)

Also happens with either fread() or feof() on an SSL socket connection opened with fsockopen ($request):

while (!feof($request)) $response .= fread($request, 4096);

This code works flawlessly on a non-SSL socket connection.
 [2004-01-11 11:01 UTC] heino@php.net
This bug is apparently still living; even in PHP 5.0b3...
 [2004-01-12 06:42 UTC] sniper@php.net
Keep it assigned to the only person who can fix it..

 [2004-01-27 12:58 UTC] admin at jazzfanz dot com
I'm sorry but I can't really tell based on this thread if there was ever a version of PHP where this problem was corrected.  Is there a version?

I'm on 4.3.3 currently under IPlanet.

Is there a workaround without using cURL?
 [2004-02-04 18:48 UTC] douga at accessdata dot com
I am seeing the same error. It appears to be generated after the following loop has completed. More specifically, the Warning message is emitted just after the loop terminates.

while( !feof($handle) )
{
   echo "Looping to read in all of the reply.<br>";
   $reply .= fgets($handle);
}

PHP 4.3.4 compiled with --with-openssl

What other information would be helpful?
 [2004-02-16 17:00 UTC] aaron_hawryluk at shaw dot ca
This also seems to cause a problem with file_get_contents which I am using to retrieve transaction data.  Test case is:
<code><?php
file_get_contents("https://any.secure.server");
?></code>
returns:
<code>Warning: file_get_contents(): SSL: fatal protocol error in /usr/local/www/data-dist/navdev/test.php on line 2</code>

...plus whatever data the secure server provides.
 [2004-02-16 19:58 UTC] scottmacvicar at ntlworld dot com
Found the cause of this now.

Its Microsoft's we can do what we want attituide in regards to IIS.

An EOF occured but the SSL "close_notify" message hasn't been sent.

I'll write a patch and post it tomorrow hopefully.
 [2004-02-16 20:16 UTC] scottmacvicar at ntlworld dot com
Since this indeed an error but it will happen anytime you make an HTTPS request to IIS i think the error should be changed to E_NOTICE and the error message updated to what it actually does.

Patch
---
diff -u network.c network.c.patched
--- network.c   2004-02-17 01:20:49.000000000 +0000
+++ network.c.patched   2004-02-17 01:22:23.000000000 +0000
@@ -870,8 +870,8 @@
                case SSL_ERROR_SYSCALL:
                        if (ERR_peek_error() == 0) {
                                if (nr_bytes == 0) {
-                                       php_error_docref(NULL TSRMLS_CC, E_WARNING,
-                                                       "SSL: fatal protocol error");
+                                       php_error_docref(NULL TSRMLS_CC, E_NOTICE,
+                                                       "SSL: EOF occurred in violation of protocol");
                                        stream->eof = 1;
                                        retry = 0;
                                } else {
 [2004-02-18 19:12 UTC] iliaa@php.net
Marking as documentation problem. Some (IIS) non-standard 
compliant servers send data in a way that causes PHP to 
raise warnings. When working with such servers you should 
lower your error_reporting level not to include warnings. 
 [2004-02-19 11:00 UTC] nlopess@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.


 [2004-04-30 06:24 UTC] mike dot davsi at temple dot edu
I'm seeing this against an apache server.  What version is this fixed in? 

file_get_contents("https://.....");

PHP 4.3.2 (cgi), Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies

I have fixed it for now with error_reporting but would like to get a true fix.
 [2004-04-30 15:03 UTC] obercik at poczta dot onet dot pl
PHP Version 5.0.0RC2

Configure Command 	'./configure' '--with-openssl' ...

if ( $fp = fopen("https://xxxxxxxx, "r") ) {
	while ( $row = fgets($fp, 1024) ) {
		print($row);
	}
	fclose($fp);
}

Warning: fgets() [function.fgets]: SSL: fatal protocol error in xxxxxxxxxxxxxxxxxxx.php on line xx

however it GETS the data...
 [2004-05-03 17:56 UTC] grizu1 at gmx dot info
Hi,
this bug still exists on php4-STABLE-200405031430. ;-(

System:
- Linux (RedHat 8) 2.4.20-28.8 #1 Thu Dec 18 12:53:39 EST 2003 i686 i686 i386 GNU/Linux
- php4-STABLE-200405031430
- OpenSSL 0.9.6b

Configure command:
'./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql' '--with-openssl' '--with-sapdb=/opt/sapdb/interfaces/odbc/'

php-script:
<?php
        $url = "https://foo.bar";
        file_get_contents($url);
?>

Output:
Warning: file_get_contents(): SSL: fatal protocol error in /www/www.default.de/html/https2.php on line 3


Any help for me?

Greetings
grizu
 [2004-05-23 13:02 UTC] wez@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

This has just been fixed in CVS.

Note that due to the nature of the problem (eg: IIS being at fault), there is no way for PHP to determine the difference between a legitimate problem and a bogus IIS unless you are using the built-in HTTP wrapper: we inspect the headers to determine if we should show the warning or not.

So, if you are manually opening an SSL stream, you still need to suppress the warning yourself based on the presence of "Server: Microsoft-IIS" in the headers that you read.


 [2004-05-23 13:04 UTC] wez@php.net
Stupid bug system...
The will be in the next snapshot from http://snaps.php.net.

 [2004-08-24 20:54 UTC] robert at osuosl dot org
I've noticed we've all dismissed this as a Microsoft IIS error, but we've been receiving the same warning using Apache 1.3.31 and PHP 5.0.0 and PHP 5.0.1, configured with the following options:
./configure --with-mysql=shared,/usr --prefix=/usr --with-apxs=/usr/bin/apxs-ssl --disable-rpath --with-layout=GNU --with-pear=/usr/share/php --enable-ftp --with-gettext --enable-sockets --with-zlib --with-kerberos=/usr --with-openssl --with-exec-dir=/usr/lib/php5/libexec --with-dom=shared,/usr --with-xsl --with-gettext

Have any apache users had this error and corrected it?
 [2004-10-05 09:19 UTC] jon at latchkey dot com
I'm seeing this in 5.0.2 using HTTP_Client-1.0.0 and HTTP_Request-1.2.3, Net_Socket-1.0.2.

require_once 'HTTP/Client.php';

$url = 'https://wipcore.t-mobile.com/login';
$data = array(
        txtMSISDN=>'myphonenumber',
        txtPassword=>'mypassword',
        tmobile=>'true',
        chkRemember=>'chkRemember',
        hdnAOL=>'');

$client = new HTTP_Client();
$response = $client->post($url, $data);
$response = $client->currentResponse();
print_r($response);
?>

Warning: fread() [function.fread]: SSL: fatal protocol error in /usr/local/lib/php/Net/Socket.php on line 262
Array ( [code] => 200 [headers] => Array ( [Date] => Tue, 05 Oct 2004 06:58:40 GMT [date] => Tue, 05 Oct 2004 06:58:40 GMT [X-Powered-By] => ASP.NET [x-powered-by] => ASP.NET [cache-control] => private [pragma] => no-cache [x-rim-content-location] => "/appdata/rim/idlescreen/carrier/brand" [X-ContentSig] => "iQA/AwUAjc1EX/glq1oAoLnzxyr1/ldOXKnENFEa88tQ+IIE" [x-contentsig] => "iQA/AwUAjc1EX/glq1oAoLnzxyr1/ldOXKnENFEa88tQ+IIE" [Connection] => close [connection] => close [Content-Type] => text/html [content-type] => text/html [Cache-control] => private [Content-Encoding] => gzip [content-encoding] => gzip [Transfer-Encoding] => chunked [transfer-encoding] => chunked [Expires] => Wed, 01 Jan 1997 12:00:00 GMT [expires] => Wed, 01 Jan 1997 12:00:00 GMT [Vary] => Accept-Encoding [vary] => Accept-Encoding ) [body] =>
 [2004-10-05 14:21 UTC] wez@php.net
jon at latchkey dot com:
ask the authors of those packages to read this report and fix their code.  It is not a PHP bug.
 [2004-10-18 09:07 UTC] papercrane at reversefold dot com
For those interested, I have submitted a bug report for PEAR::Net_Socket and added a comment to a bug report for HTTP_Request.

I would include bug #'s and links, but the bug system seems to have just gone down...
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 23:01:58 2014 UTC