php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36445 Cannot enable encryption for stream server
Submitted: 2006-02-18 18:20 UTC Modified: 2007-05-19 18:47 UTC
Votes:13
Avg. Score:4.8 ± 0.6
Reproduced:13 of 13 (100.0%)
Same Version:7 (53.8%)
Same OS:3 (23.1%)
From: Jacek at veo dot pl Assigned: wez (profile)
Status: Closed Package: Sockets related
PHP Version: 5.2.2 OS: Ubuntu 7.04
Private report: No CVE-ID: None
 [2006-02-18 18:20 UTC] Jacek at veo dot pl
Description:
------------
I am creating a SMTP server based on PHP. I have a problem with TLS encryption. I tried to enable crypto after stream_socket_accept - it failed.

./configure --with-apxs2 --with-config-file-path --with-libxml-dir --with-zlib --with-zlib-dir --enable-bcmath --with-bz2 --enable-calendar --with-curl --enable-dba --with-inifile --with-flatfile --enable-dbase --enable-exif --enable-filepro --enable-ftp --with-openssl --with-openssl-dir --with-gd --with-jpeg-dir --with-png-dir --without-xpm-dir --with-freetype-dir --enable-gd-native-ttf --with-imap --with-imap-ssl --enable-mbstring --with-mysql --with-mysqli --with-pdo-mysql --enable-soap --enable-sockets --enable-sqlite-utf8 --with-xmlreader --enable-memory-limit --with-iconv --with-ncurses

Reproduce code:
---------------
<?php
$context = stream_context_create();
stream_context_set_option($context, 'tls', 'local_cert', '/server.misc');

echo 1;
$ssl = stream_socket_server('tls://0.0.0.0:4445', $errnum, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context);
echo 2;
stream_socket_enable_crypto($ssl, TRUE, STREAM_CRYPTO_METHOD_TLS_SERVER);
echo 3;
fclose($ssl);
?>

Expected result:
----------------
123

Actual result:
--------------
12

And script is running. When I try to connect - I can, but script don't "go ahead".

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-22 11:06 UTC] tony2001@php.net
Wez, plz take a look at this reproduce code:
<?php
$ssl = stream_socket_server('tcp://127.0.0.1:4445', $errnum, $errstr);
stream_socket_enable_crypto($ssl, TRUE, STREAM_CRYPTO_METHOD_SSLv23_SERVER);
?>
 [2006-02-22 11:13 UTC] Jacek at veo dot pl
The same problem.
 [2006-05-04 19:15 UTC] eddi at ai000 dot de
#!/opt/php/513/bin/php
<?php
error_reporting(2047);
$c=array('tls'=>array(	'verify_peer'		=>false,
			'allow_self_signed'	=>true,
			'cafile'		=>'/opt/php/testscripts/newkey.pem',
			'capath'		=>'/opt/php/testscripts/',
			'local_cert'		=>'/opt/php/testscripts/newkey.pem',
			'passphrase'		=>'smtp',
			'CN_match'		=>'ai000.de'
			)
	);
$tls=stream_context_create($c);
$c=stream_socket_server('tcp://127.0.0.1:1100',$er,$es,STREAM_SERVER_BIND|STREAM_SERVER_LISTEN,$tls);
while(1){
	if($s=@stream_socket_accept($c)){
		echo "Verbindung\n".openssl_error_string()."\n\n";
		@fwrite($s,"220 ESMTP\r\n");
		echo @fgets($s);
		@fwrite($s,"250 STARTTLS\r\n");
		echo @fgets($s);
		@fwrite($s,"220 ESMTP\r\n");
		var_dump(stream_socket_enable_crypto($s,true,STREAM_CRYPTO_METHOD_TLS_SERVER));
		echo @fgets($s);
	}
}
?>


This is my test code. The negotation is endless among server script and Mozilla-Thunderbird.
When I start the script below, my browser tell me: there are no conforming algorithms available.

$c=stream_socket_server('ssl://127.0.0.1:1100',$er,$es,STREAM_SERVER_BIND|STREAM_SERVER_LISTEN,$tls);

The Discription ("stream_socket_enable_crypto ( resource stream, bool enable [, int crypto_type [, resource session_stream]] )") is obscure. What is "resource session_stream"? This word is singly used there and no records describe it.
 [2006-05-05 12:55 UTC] Jacek at veo dot pl
Description:
------------
I (re)compiled OpenSSL 0.9.8b and PHP 5.1.3


Actual result:
--------------
My first code:
12Segmentation fault

From tony2001@php.net:
Warning: stream_socket_enable_crypto(): SSL operation failed with code 111. OpenSSL Error messages:
error:00000000:lib(0):func(0):reason(0) in /test.php on line 4

GDB:
----
gdb --args php /test.php

(gdb) run
Starting program: /usr/bin/php /test.php
[Thread debugging using libthread_db enabled]
[New Thread 1082760448 (LWP 2419)]
12
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1082760448 (LWP 2419)]
0x40390beb in sk_num () from /usr/local/ssl/lib/libcrypto.so.0.9.8
(gdb) quit
The program is running.  Exit anyway? (y or n) y
 [2006-05-05 18:43 UTC] eddi at ai000 dot de
OS:      GNU/Linux 2.6.16.14 (gentoo)
OpenSSL: 0.9.7i
PHP:     5.1.4 CLI

Today I got this warning:

Warning: stream_socket_enable_crypto(): SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used.  This could be because the server is missing an SSL certificate (local_cert context option) ...

(file xp_ssl.c line 131)

To do that (set option) there are no way.
 [2006-05-26 02:19 UTC] e at osterman dot com
I too had problems with this. It works for me on PHP 5.1.2-
1+b1 (cli) (built: Mar 20 2006 04:17:24).

You must specify the certificate in PEM format, and use "ssl" as the key for the resource context.

How to create PEM file? go here: http://sial.org/howto/openssl/self-signed/
 [2006-05-26 09:51 UTC] Jacek at veo dot pl
Code:
-----

<?php
$context = stream_context_create(array(
	'ssl' => array(
		'verify_peer' => FALSE,
		'allow_self_signed' => TRUE,
		'local_cert' => '/host.pem'
	)
));

echo 1;
$ssl = stream_socket_server('ssl://0.0.0.0:4445', $errnum, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context);
echo 2;
stream_socket_enable_crypto($ssl, TRUE, STREAM_CRYPTO_METHOD_TLS_SERVER);
echo 3;
fclose($ssl);
?>

Result:
-------
I created combined file, as on the website, but I receive (PHP 5.1.4):

Warning: stream_socket_enable_crypto(): Unable to set private key file `/host.pem' in /repr.php on line 15

Warning: stream_socket_enable_crypto(): failed to create an SSL handle in /repr.php on line 15
 [2006-05-26 12:28 UTC] eddi at ai000 dot de
May be the stream_socket_server() works fine yet, but, Erik, it is NOT the point exactly.

SMTP services listen on an _unencrypted_ stream. An implemetation of the extension for secure SMTP over transport layer security (http://www.ietf.org/rfc/rfc3207.txt) needs the ability (provided by stream_socket_enable_crypto()) to encrypting stream belated. It does not work and this is the point.
 [2006-05-26 18:31 UTC] e at osterman dot com
Eddi, you indeed appear to be correct. I was writing an SSL TCP Server, which gave off the same error message so I assumed they were related. My fix there did NOT work for the TLS implementation. As you mentioned, TLS is a different way of implementing SSL, which as it stands currently in PHP5, I aggree it appears to be broken. There is one issue with your above example. The wrapper should be "ssl" even for "tls" communications (but that doesn't make it work).

Wez talks more about it in http://bugs.php.net/33192.

Wez Furlong:
{{{
The context options for openssl, including tls, are all bundled under the name "ssl". I think your code should probably look more like this:

$c = stream_context_create(array(
   "ssl" => array(
       "local_cert" => "sec.pem",
       ... other options ...
   )
);
}}}
 [2006-05-27 04:30 UTC] eddi at ai000 dot de
Sorry. You misconceive or misread it. Please understand difference between server sockets and client sockets.

There are no way to set context options and to give this context stream_socket_enable_crypto().
 [2006-05-31 21:00 UTC] e at osterman dot com
The below example calls stream_socket_enable_crypto on client stream socket and on a server stream socket. It works on my version of PHP 5.1.2 just fine. So, if it doesn't work for you then, we can determine what version of PHP5 is broken.

This is the output.

e@eon:~/dev/examples/tls$ ./tls-server.php
1: STARTTLS
Error (if any):
2: EHLO world

As you see... no errors. It got the "EHLO world" command sent over an TLS channel from the client just fine.

e@eon:~/dev/examples/tls$ ./tls-client.php
1: 220 ESMTP
2: 250 STARTTLS
bool(true)


This is the code that produced the output. 

Below is the code I use to make a sample TLS SMTP server. It works perfectly on my platform and version of PHP. The output from the tests are above.


#!/usr/bin/php5
<?php
// Hello World! SMTP TLS Server
// Tested on PHP 5.1.2-1+b1 (cli) (built: Mar 20 2006 04:17:24)

$context = stream_context_create();

// local_cert must be in PEM format
stream_context_set_option($context, 'ssl', 'local_cert', './server.pem');
// Pass Phrase (password) of private key
stream_context_set_option($context, 'ssl', 'passphrase', 'comet');

stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);

// Create the server socket
$server = stream_socket_server('tcp://0.0.0.0:9001', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);

while(1){
        if($client=stream_socket_accept($server)){
                @fwrite($client,"220 ESMTP\r\n");
                @fwrite($client,"250 STARTTLS\r\n");

                // Client should now send STARTTLS
                echo "1: " . @fgets($client);
                // We start the SSL Channel
                stream_socket_enable_crypto($client,true,STREAM_CRYPTO_METHOD_TLS_SERVER);
                echo "Error (if any): ".openssl_error_string()."\n";
                @fwrite($client,"220 ESMTP\r\n");
                echo "2: " . @fgets($client);
        }
}
?>


#!/usr/bin/php5
<?

$fp = fsockopen("tcp://localhost", 9001, $errno, $errstr,30);
if (!$fp) die ("Unable to connect: $errstr ($errno)");

echo "1: " . fgets($fp);
echo "2: " . fgets($fp);
fwrite($fp, "STARTTLS\r\n");

var_dump(stream_socket_enable_crypto($fp,true,STREAM_CRYPTO_METHOD_TLS_CLIENT) );
fwrite($fp, "EHLO world");
?>
 [2006-05-31 21:03 UTC] e at osterman dot com
And just to make sure we're using the same tools to test, this is the certificate that I used to make the test above work. The pass phrase is "comet".


-----BEGIN CERTIFICATE-----
MIIDgTCCAuqgAwIBAgIJAMgtIWVzb1oIMA0GCSqGSIb3DQEBBQUAMIGIMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2Vs
ZXMxFDASBgNVBAoTC091ciBDb21wYW55MQ0wCwYDVQQLEwRUZXN0MQwwCgYDVQQD
EwNEZXYxGzAZBgkqhkiG9w0BCQEWDGFzZEBob3N0LmNvbTAeFw0wNjA1MjYwMTM4
NTRaFw0wNzA1MjYwMTM4NTRaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC091ciBDb21w
YW55MQ0wCwYDVQQLEwRUZXN0MQwwCgYDVQQDEwNEZXYxGzAZBgkqhkiG9w0BCQEW
DGFzZEBob3N0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3mStTm74
kOQCelquoGI/WyUIOvngDdNcJGmi2xnzDpRjKfQTH/3VVDQJUwvjKcLxnBQHFg7M
nvEZrfC3LEmFajAzRKjXK5gUCQEQKqhbVsfZO+7ANq4axNldd4UgMhPeZIKr8DDt
P3pjFqFSYh/dtOq2pfDXSbstmCZ1Q3GAYDcCAwEAAaOB8DCB7TAdBgNVHQ4EFgQU
WQSzc00pkM9aCzsxKJpTYm3kwEUwgb0GA1UdIwSBtTCBsoAUWQSzc00pkM9aCzsx
KJpTYm3kwEWhgY6kgYswgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxlczEUMBIGA1UEChMLT3VyIENvbXBhbnkx
DTALBgNVBAsTBFRlc3QxDDAKBgNVBAMTA0RldjEbMBkGCSqGSIb3DQEJARYMYXNk
QGhvc3QuY29tggkAyC0hZXNvWggwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOBgQA7G/XKQ9kLTZOcVAG/IOxdn9tW38sEwHifNQ7zMSS5di1MmnD5JJWdK/s4
dzN06T1Ey5FCu2kafFzk48khZpoPsXMRF8DNBXLVSCGj4maPtEviJVjwtj3XwZjA
82a8A/Yil0+fo25zPX4I4oBcbl3bPqzVPXxsQ7myp9f7MDZcbQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E4476A175B6608B6

r0sox8H5ijuOanXwYFtIDgPti3AAuIUdy5EJG9GZbrtQHEW6HL+YxdI58Ng70t4w
EfBvcuLb7XAGsJwF65yad0vSXsYv6F+0brEefEvZX3ljxUZ3yGfHVJyEdBWJty7X
A8QpqOVVQseAST1IKeWOIT16/a9ZOgwnIhQe36y43pxBwL5tumXTM+AuWPOBW8c0
s49I8GyptttGJpcFohLsmP9Jza/fMIzYFNeuOBQ93fieCcVXBd2fWNyZVEsOU5Mi
kt5FQ9Lc9F8Wc+Mh0xiodDz6H+2yNIMC2SNu/mDSAGwDCctBZ34enFDad/eBiYW+
iTjMaqWGFs+cantSgVQ6pdZWYQd5Rsb3/Qbcfia/C1vtzWipBG7wlQCsNWwceXx/
f8hqWl5kyCxvBdH9eyRNMVJkCbFABl9tnaMGRi/UnVL68wgUvosAsdCjUrdL3x7O
i6yMBrxYjACbYslPFaG5OtgXcbacBKjsVMkcRYRyGqClgVZHICYZXhZoZTjOsgT4
L9WivT1RnozmFUMPaXbnxX4h/B3v6aSYAc4mPM6oMFTiXGJ7cLoafNw7Fxug7oeF
0+04DykzFCsLw1PmnkXP/WliQ+xidKJeKl2bR0k5MjAs0ksjelk7hAbCDjE0ct0w
LAHuvf6haClaFBa0ugL90S6BBdIQad9GRmAqZlVc5tANZleXFEY2wKUSMddIKzsm
nouipBWt3flDyYaFRtF20IYYk59z3zlqk73U/cFRkpT9SvHbxdsjTX1OvsmuhMzV
5K4+1QaBK4vePOFeEHDAkwGGqI1Wj+2lC6pxdLe3tjIzNWN1eaq59Q==
-----END RSA PRIVATE KEY-----
 [2006-06-01 07:35 UTC] Jacek at veo dot pl
PHP 5.1.4 + OpenSSL 0.9.8b:

========
 SERVER 
========
serwer:/tls # php tls-server.php
1: STARTTLS

Warning: stream_socket_enable_crypto(): Unable to set private key file `./server.pem' in /tls/tls-server.php on line 30

Warning: stream_socket_enable_crypto(): failed to create an SSL handle in /tls/tls-server.php on line 30
Error (if any):
2: YUFE@40Tz&#65533;F&#65533;~F1&#65533;V&#65533;hxK.985/32~}|yxwtsr

Warning: stream_socket_accept(): accept failed: Connection timed out in /tls/tls-server.php on line 2

========
 CLIENT 
========
serwer:/tls # php tls-client.php
1: 220 ESMTP
2: 250 STARTTLS

Warning: stream_socket_enable_crypto(): SSL operation failed with code 114. OpenSSL Error messages:
error:00000000:lib(0):func(0):reason(0) in /tls/tls-client.php on line 10
bool(false)
 [2006-07-24 18:58 UTC] gladyston at eacnet dot com dot br
--> Apache 2.2
--> PHP Version 5.1.4 
--> Linux 2.6.8-2-386 Aug 16 12:46:35 UTC 2005 i686 GNU/Linux


<?php
$url="https://shopline.itau.com.br/shopline/consulta.asp?DC=N183Z175F213E11E234B109E158C173O228K60Y165W217L103M205X7D136G92Q103R208F14E7W147L40Q103G244F243W216Z177K39S36F154S121D205D155A136V";
$handle = fopen($url, "r");
?>


Warning: fopen() [function.fopen]: SSL operation failed with code 114. OpenSSL Error messages: error:00000000:lib(0):func(0):reason(0) in /home/gladyston/webservice/t2.php on line 3

Warning: fopen() [function.fopen]: Failed to enable crypto in /home/gladyston/webservice/t2.php on line 3

Warning: fopen(https://shopline.itau.com.br/shopline/consulta.asp?DC=N183Z175F213E11E234B109E158C173O228K60Y165W217L103M205X7D136G92Q103R208F14E7W147L40Q103G244F243W216Z177K39S36F154S121D205D155A136V) [function.fopen]: failed to open stream: Bad file descriptor in /home/gladyston/webservice/t2.php on line 3

Ass,
Gladyston Batista
Belo Horizonte - Brazil
 [2006-07-26 08:49 UTC] magicaltux at gmail dot com
I'm working on a PHP-based SMTP server, and I also have problems with STARTTLS.

The full sourcecode can be fetched from:
http://ookoo.org/svn/pinetd/

The STARTTLS function does *not* work.

Warning: stream_socket_enable_crypto(): SSL operation failed with code 111. OpenSSL Error messages:
error:00000000:lib(0):func(0):reason(0) in /usr/local/pinetd/daemon/25.php on line 373
 [2006-07-28 22:53 UTC] shopping at jth dot net
Server Version: Apache/2.2.0 (Fedora) mod_ssl/2.2.0 OpenSSL/0.9.8a mod_cntr/2.5.6 PHP/5.1.4 mod_perl/2.0.2 Perl/v5.8.8

$url = "https://.....";    URL working fine in browser
$fd = fopen($url, "r");

result

fopen() [<a href='function.fopen'>function.fopen</a>]: SSL operation failed with code 114. OpenSSL Error messages:
error:00000000:lib(0):func(0):reason(0) in .....

fopen() [<a href='function.fopen'>function.fopen</a>]: Failed to enable crypto in .....
 [2006-07-29 13:49 UTC] shopping at jth dot net
See http://bugs.mysql.com/bug.php?id=21337 and related bugs
 [2007-05-19 18:47 UTC] Jacek at veo dot pl
Closing - anything works now (self-compiled PHP 5.2.2, OpenSSL 0.9.8c included to Ubuntu 7.04).
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue May 24 12:05:45 2022 UTC