php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41770 SSL: fatal protocol error due to buffer issues
Submitted: 2007-06-21 19:21 UTC Modified: 2013-02-18 00:33 UTC
Votes:17
Avg. Score:4.3 ± 0.8
Reproduced:15 of 15 (100.0%)
Same Version:7 (46.7%)
Same OS:9 (60.0%)
From: cardoe@php.net Assigned: pajoye
Status: No Feedback Package: Streams related
PHP Version: 5.2.3 OS: Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-06-21 19:21 UTC] cardoe@php.net
Description:
------------
Essentially this bug is a mash up of #39283, #35758, #41021, #39039 and possibly others.

Essentially the code I'm using looks like:

$fd = fsockopen("ssl://myhost, myport, $error, $timeout);
$data = fread($fd, 8192);

But you can create the same error using:
 - SoapClient to fetch a WSDL file.
 - file_get_contents()
 - file()

The backend can be an Apache server or a custom app internally that serves SSL encrypted data. It doesn't matter.

If the transmitted data is smaller then the $length passed to fread, everything works successfully. I chose 8192 in my example because file(), file_get_contents() and SoapClient all use 8192 internally based on how the work.

Now if the actual data being transmitted is 10000 for example, you will receive the first block of data fine. Then the next time you call fread(), or in the case of SoapClient, file_get_contents(), file() they will do this internally. You will get:

"SSL: fatal protocol error" printed out and any subsequent action on the file descriptor will result in an OpenSSL error saying the socket has already been shutdown, as per line 116 (current CVS) of ext/openssl/xp_ssl.c

Now you can create this situation with 2048 of data as well. Just call fread($fd, 1024); or fread($fd, 2000); and it will trigger. Basically the $length has to be less then your total amount of data and it will occur.

A lot of the previous bugs PHP developer mention IIS while users mention Apache. I have not tested IIS. I have only tested Apache and a custom app which serves data over SSL. I have tested the output of Apache with wget and the custom app with openssl s_client and both work properly.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-21 19:22 UTC] cardoe@php.net
Bug #34668 as well.
 [2007-06-21 19:35 UTC] sniper@php.net
It's some streams issue, reclassified as such. Too bad we're out of streams developers right now. :)
 [2007-07-02 16:42 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-07-02 16:50 UTC] cardoe@php.net
iliaa: All you did is make the warning not appear with that commit. You didn't fix the underlying issue with the connection. It still closes the connection and now it will just mysteriously start failing rather then giving a warning about why it's failing.

I would revert your commit and not mark this as fixed.
 [2007-07-05 20:36 UTC] iliaa@php.net
I am unable to reproduce the bug with 4 different HTTPS hosts and the 
provided code. Do you have a particular URL/host that can be used to 
reproduce the described issue.
 [2007-07-13 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2007-07-25 13:31 UTC] johnw at sussex dot ac dot uk
I get this bug too,using fsockopen('ssl://...') followed by fgets()

I'm using PHP 5.2.1 on Solaris 9 using OpenSSL/0.9.7b.

If I call @fgets(...) my application seems to work but it would be 
better if the bug was fixed properly!

The ssl server I'm connecting to is an IIS one.
 [2007-12-17 02:14 UTC] paul at cynergydata dot com
I'm using PHP 5.1.4 on a Windows XP Laptop running Apache 2.0 and I get the error when using SoapClient.  Here is my code:

$url = "https://payments.cynergydata.com/SmartPayments/transact2.asmx?WSDL";

$client = new SoapClient($url);

-- a pretty simple example going against an IIS server.  I will try other methods as I need to find a workaround for a client ASAP.
 [2010-12-18 00:42 UTC] ryandewhurst at gmail dot com
I have come across many PHP bug reports on this dating back to 2003 and every single one tries to mask the problem rather than solve it. We will soon be in 2011, is there or have there been any fixes for this? The https server is PayPal. 

# php -v
PHP 5.1.6 (cli) (built: Mar 31 2010 02:44:37) 
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies

CentOS 5.x
 [2010-12-18 09:23 UTC] pajoye@php.net
-Status: No Feedback +Status: Feedback -Assigned To: iliaa +Assigned To: pajoye
 [2010-12-18 09:23 UTC] pajoye@php.net
Please try using a recent PHP version (5.3+) and a decent openssl version (0.9.8k+). We also need an URL against which we can reproduce the error, as well as the script you use to do it.
 [2013-02-18 00:33 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 03:02:42 2014 UTC