php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44377 segfault on POST to an HTTPS resource requiring client certificate
Submitted: 2008-03-08 17:30 UTC Modified: 2009-08-27 01:00 UTC
Votes:8
Avg. Score:4.1 ± 0.9
Reproduced:8 of 8 (100.0%)
Same Version:3 (37.5%)
Same OS:4 (50.0%)
From: noah at cs dot caltech dot edu Assigned:
Status: No Feedback Package: Streams related
PHP Version: 5.2.6RC1 OS: GNU/Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-03-08 17:30 UTC] noah at cs dot caltech dot edu
Description:
------------
I set up a web resource served via Apache 2.2.3.  When accessed via SSL, clients of this resource must authenticate using a client-side SSL certificate.  I created a PHP client script to connect to this server, authenticate with an SSL certificate, and submit an HTTP POST request to the web resource.  The PHP client script receives a segmentation fault when it attempts to make this connection.

For the purpose of this bug report, I built PHP 5.2.6RC1 as follows:

./configure --prefix=$HOME/sw/nopath/php526 \
--with-config-file-path=$HOME/sw/nopath/php526/etc \
--enable-debug \
--with-jpeg-dir=/usr --with-png-dir=/usr \
--with-zlib-dir=/usr --with-freetype-dir=/usr \
--with-apxs2=/usr/bin/apxs2 --enable-fastcgi \
--with-layout=gnu \
--with-openssl --with-kerberos --with-zlib --with-bz2 --enable-calendar \
--with-curl=shared \
--enable-dba --with-gdbm --with-db4 --with-inifile --with-flatfile \
--enable-dio --with-dom --with-dom-xslt --with-dom-libexslt --enable-ftp \
--with-gd --enable-exif \
--with-gettext --with-gmp --with-iconv \
--with-java=/usr/lib/jvm/java-6-sun --with-ldap --enable-mbstring \
--with-mssql=/usr --with-mysql=/usr --with-ncurses \
--with-unixODBC=/usr --with-pgsql --with-readline --enable-shmop \
--with-snmp --enable-sockets \
--enable-sysvmsg --enable-sysvsem --enable-sysvshm \
--enable-wddx --with-xmlrpc \
--enable-xslt --with-xslt-sablot=$HOME/sw/sablotron --enable-yp \
--with-pdo-pgsql --enable-soap --with-xsl --enable-zip

(I know that some of those options are obsolete in PHP 5; I adapted my PHP 4 configuration line rather hastily.)

I used no php.ini at all.

I also reproduced this problem in PHP 5.2.1 as supplied with Ubuntu 7.04.  On a CentOS 4.5 system with PHP 5.0.4, the runtime caught a problem at a different level:

*** glibc detected *** malloc(): memory corruption: 0x08697798 ***
Aborted


Reproduce code:
---------------
### SERVER SIDE CODE: /secure/hello.php

$name = file_get_contents('php://input');
if ($name)
     echo "Hello, $name!  ";
print "You made it!\n";

### CLIENT SIDE CODE
$opts = array('http' =>                                                                                                            array('method' => 'POST',
                    'header' => 'Content-type: text/plain',
                    'content' => 'Noah'),
              'ssl' =>
              array('verify_peer' => true,
                    'allow_self_signed' => false,
                    'cafile' => 'cacert.pem',
                    'local_cert' => 'client.pem',
                    'passphrase' => 'secret'));

//array_shift($opts)
$response = file_get_contents('https://10.10.200.250:2083/secure/hello.php', false,
                              stream_context_create($opts));

print $response;

Expected result:
----------------
When I run this client code from the command line (php -f client.php), I expect $response to contain "Hello, Noah!  You made it!".


Actual result:
--------------
Instead, PHP exits with a segmentation fault.

If I uncomment "array_shift($opts)", thereby switching the request to a GET, I see the expected response "You made it!".  That is to say, the mutual certificate authentication works by itself.  Likewise, if I change "https://10.10.200.250:2083" to "http://10.10.200.250:2080", thereby accessing the same resource without any SSL, I see the expected response "Hello, Noah!  You made it!".  If I copy hello.php to an area that does not require certificate authentication and then access it via SSL, I also see the expected response "Hello, Noah!  You made it!".  Thus, one needs all of POST, SSL, and mutual certificate authentication to reproduce this problem.

In the failed case, the Apache log has this:
[Sat Mar 08 12:03:11 2008] [info] [client 10.10.200.250] Connection to child 4 established (server 10.10.200.250:2083)
[Sat Mar 08 12:03:11 2008] [info] Seeding PRNG with 0 bytes of entropy
[Sat Mar 08 12:03:11 2008] [info] Initial (No.1) HTTPS request received for child 4 (server 10.10.200.250:2083)
[Sat Mar 08 12:03:11 2008] [info] Requesting connection re-negotiation
[Sat Mar 08 12:03:11 2008] [info] Awaiting re-negotiation handshake
[Sat Mar 08 12:03:11 2008] [error] Re-negotiation handshake failed: Not accepted by client!?

This is the backtrace for the PHP command-line instance running the client script:
(gdb) bt
#0  0x084b6749 in zend_mm_search_large_block (heap=0x88261f8, true_size=332)
    at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_alloc.c:1735
#1  0x084b68f2 in _zend_mm_alloc_int (heap=0x88261f8, size=287, 
    __zend_filename=0x87b7b5c "/home/nmisch/src/build/php-5.2.6RC1/main/spprintf.c", __zend_lineno=750, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_alloc.c:1794
#2  0x084b7ce4 in _zend_mm_realloc_int (heap=0x88261f8, p=0x898d724, size=287, 
    __zend_filename=0x87b7b5c "/home/nmisch/src/build/php-5.2.6RC1/main/spprintf.c", __zend_lineno=750, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_alloc.c:2213
#3  0x084b7fdf in _erealloc (ptr=0x898d724, size=287, allow_failure=0, 
    __zend_filename=0x87b7b5c "/home/nmisch/src/build/php-5.2.6RC1/main/spprintf.c", __zend_lineno=750, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_alloc.c:2303
#4  0x0848475c in xbuf_format_converter (xbuf=0xbfe47eac, fmt=0x856095e "s", ap=0xbfe47fb8 "")
    at /home/nmisch/src/build/php-5.2.6RC1/main/spprintf.c:750
#5  0x084849fd in vspprintf (pbuf=0xbfe47f1c, max_len=0, 
    format=0x8560938 "SSL operation failed with code %d. %s%s", ap=0xbfe47fac "\001")
    at /home/nmisch/src/build/php-5.2.6RC1/main/spprintf.c:769
#6  0x0847d8e0 in php_verror (docref=0x0, params=0x87b6a11 "", type=2, 
    format=0x8560938 "SSL operation failed with code %d. %s%s", args=0xbfe47fac "\001")
    at /home/nmisch/src/build/php-5.2.6RC1/main/main.c:578
#7  0x0847e0cc in php_error_docref0 (docref=0x0, type=2, format=0x8560938 "SSL operation failed with code %d. %s%s")
    at /home/nmisch/src/build/php-5.2.6RC1/main/main.c:734
#8  0x080c169a in handle_ssl_error (stream=0x898d804, nr_bytes=-1, is_init=0 '\0')
    at /home/nmisch/src/build/php-5.2.6RC1/ext/openssl/xp_ssl.c:167
#9  0x080c18ea in php_openssl_sockop_read (stream=0x898d804, buf=0x898dbac "", count=8192)
    at /home/nmisch/src/build/php-5.2.6RC1/ext/openssl/xp_ssl.c:229
#10 0x084970e3 in php_stream_fill_read_buffer (stream=0x898d804, size=126)
    at /home/nmisch/src/build/php-5.2.6RC1/main/streams/streams.c:545
#11 0x0849784e in _php_stream_get_line (stream=0x898d804, buf=0xbfe49194 "", maxlen=127, returned_len=0xbfe48494)
    at /home/nmisch/src/build/php-5.2.6RC1/main/streams/streams.c:824
#12 0x0842e51c in php_stream_url_wrap_http_ex (wrapper=0x8815068, 
    path=0x898c3d0 "https://10.10.200.250:2083/secure/hello.php", mode=0x87a2d46 "rb", options=4, opened_path=0x0, 
    context=0x898c4a0, redirect_max=20, header_init=1, __php_stream_call_depth=0, 
    __zend_filename=0x87abae4 "/home/nmisch/src/build/php-5.2.6RC1/ext/standard/http_fopen_wrapper.c", 
    __zend_lineno=710, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/nmisch/src/build/php-5.2.6RC1/ext/standard/http_fopen_wrapper.c:494
#13 0x0842f6ed in php_stream_url_wrap_http (wrapper=0x8815068, 
    path=0x898c3d0 "https://10.10.200.250:2083/secure/hello.php", mode=0x87a2d46 "rb", options=4, opened_path=0x0, 
    context=0x898c4a0, __php_stream_call_depth=1, 
    __zend_filename=0x87bb80c "/home/nmisch/src/build/php-5.2.6RC1/main/streams/streams.c", __zend_lineno=1789, 
    __zend_orig_filename=0x87a2748 "/home/nmisch/src/build/php-5.2.6RC1/ext/standard/file.c", 
    __zend_orig_lineno=551) at /home/nmisch/src/build/php-5.2.6RC1/ext/standard/http_fopen_wrapper.c:710
#14 0x08499fc7 in _php_stream_open_wrapper_ex (path=0x898c3d0 "https://10.10.200.250:2083/secure/hello.php", 
    mode=0x87a2d46 "rb", options=12, opened_path=0x0, context=0x898c4a0, __php_stream_call_depth=0, 
    __zend_filename=0x87a2748 "/home/nmisch/src/build/php-5.2.6RC1/ext/standard/file.c", __zend_lineno=551, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/nmisch/src/build/php-5.2.6RC1/main/streams/streams.c:1787
#15 0x083d0d35 in zif_file_get_contents (ht=3, return_value=0x898d62c, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=1) at /home/nmisch/src/build/php-5.2.6RC1/ext/standard/file.c:549
#16 0x084fabb5 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe49530)
    at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_vm_execute.h:200
#17 0x08500459 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfe49530)
    at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_vm_execute.h:1682
#18 0x084fa705 in execute (op_array=0x898b28c) at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend_vm_execute.h:92
#19 0x084d56ed in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/nmisch/src/build/php-5.2.6RC1/Zend/zend.c:1134
#20 0x084807a9 in php_execute_script (primary_file=0xbfe4b8a4)
    at /home/nmisch/src/build/php-5.2.6RC1/main/main.c:2006
#21 0x0855c9cf in main (argc=3, argv=0xbfe4ba24) at /home/nmisch/src/build/php-5.2.6RC1/sapi/cli/php_cli.c:1140

Thanks!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-25 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-03-14 15:59 UTC] alim at gmx dot net
I think I have the same problem with the ubuntu 7.04 and all updates installed (as of 14.03.2009). 
I noticed it when I tried to update a page in my dokuwiki. No problem with HTTP but when I use HTTPS with a client certificate I get an empty page with many edits. Perhaps it has to do with the amount of POST data. I emptied the page and added small chunks of text one at a time. The first saves work but after I added a few paragraphs the problem reappears.

I am no expert but this is the output of dpkg -l|grep php
which at least shows the installed version

ii  libapache2-mod-php5                   5.2.4-2ubuntu5.5                  server-side, HTML-embedded scripting languag
ii  php5                                  5.2.4-2ubuntu5.5                  server-side, HTML-embedded scripting languag
ii  php5-cli                              5.2.4-2ubuntu5.5                  command-line interpreter for the php5 script
ii  php5-common                           5.2.4-2ubuntu5.5                  Common files for packages built from the php
ii  php5-ldap                             5.2.4-2ubuntu5.5                  LDAP module for php5
 [2009-08-19 02:20 UTC] spiceman at gmail dot com
I was able to reproduce it with php 5.2.10 in CentOS 5.3
 [2009-08-19 03:40 UTC] scottmac@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

We need a backtrace and a simple way to reproduce.
 [2009-08-27 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC