php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47991 SSL streams fail if error stack contains items
Submitted: 2009-04-16 16:43 UTC Modified: 2009-04-20 10:03 UTC
From: mkoppanen@php.net Assigned: pajoye
Status: Closed Package: Streams related
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID:
 [2009-04-16 16:43 UTC] mkoppanen@php.net
Description:
------------
In ext/openssl/openssl.c : php_openssl_parse_config might push errors
into OpenSSL error stack in case the keys requested by the application are not found from the openssl.cnf file. This is fine normally but it seems that if error stack contains such an error all future calls to SSL_CTX_use_certificate_chain_file fail.

This is a nasty side-effect since SSL_CTX_use_certificate_chain_file is used when opening streams that authenticate with client cert.

I haven't tested if the SSL_CTX_use_certificate_chain_file fails with other errors than missing config keys. Probably does.

The simple fix which fixes the issue seems to be the following:

Index: openssl.c
===================================================================
RCS file: /repository/php-src/ext/openssl/openssl.c,v
retrieving revision 1.180
diff -u -r1.180 openssl.c
--- openssl.c	29 Mar 2009 23:32:17 -0000	1.180
+++ openssl.c	16 Apr 2009 16:42:35 -0000
@@ -4674,6 +4674,10 @@
 		char resolved_path_buff[MAXPATHLEN];
 
 		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
+			/* SSL_CTX_use_certificate_chain_file seems to be failing if error
+				stack is not cleared before using cert chain file */
+			ERR_clear_error();
+
 			/* a certificate to use for authentication */
 			if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);






Reproduce code:
---------------
<?php
$url = 'https://someurl.example.com/';
$crt = '/tmp/test.pem';

$context = stream_context_create();
stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'local_cert', $crt);

/* This call causes the failure */
openssl_pkey_new();

var_dump(file_get_contents($url, 0, $context));

/* The last error shows missing conf key warning */
echo openssl_error_string();
?>

Expected result:
----------------
No errors, everything works.

Actual result:
--------------
SSL_CTX_use_certificate_chain_file returns failure and the call fails.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-20 10:03 UTC] mkoppanen@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC