php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #53447 Cannot disable SessionTicket extension for servers that do not support it
Submitted: 2010-12-02 07:39 UTC Modified: 2010-12-13 09:29 UTC
From: clint at ubuntu dot com Assigned: aharvey
Status: Closed Package: OpenSSL related
PHP Version: 5.3.3 OS: Linux (Ubuntu)
Private report: No CVE-ID:
 [2010-12-02 07:39 UTC] clint at ubuntu dot com
Description:
------------
This bug originated here:

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/592442

As noted in the bug discussion, servers that do not properly support the 
SessionTicket extension added in openssl 0.9.8n and later will produce an error.

Users should have the ability to disable this extension, much like the openssl 
s_client utility does by passing -no_ticket.

With the test script below, if php is compiled against openssl < 0.9.8n (such as 
0.9.8g) will print the actual HTTP result on all three servers, but with >= 
0.9.8n, will fail with SSL errors.

Test script:
---------------
<?php

$urls = array("https://cas.ucdavis.edu/login", "https://server.db.kvk.nl/", "https://gmail.com/");

foreach ($urls as $url) {
	$fp = fopen($url, 'r');
	print "$url - ";
	if ($fp === FALSE) {
 		print "FAIL\n";
	} else {
		$data = stream_get_contents($fp);
		print "OK ". strlen($data)." bytes\n";
	}
	fclose($fp);
}


Expected result:
----------------
https://cas.ucdavis.edu/login - OK 4796 bytes

Warning: fopen(https://server.db.kvk.nl/): failed to open stream: HTTP request 
failed! HTTP/1.1 403 Forbidden
 in /home/clint/test.php on line 6
https://server.db.kvk.nl/ - FAIL

Warning: fclose(): supplied argument is not a valid stream resource in 
/home/clint/test.php on line 14
https://gmail.com/ - OK 19059 bytes


Actual result:
--------------
# php test.php                                                                          
PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:140773F2:SSL routines:func(119):reason(1010) in 
/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6
PHP Warning:  fopen(): Failed to enable crypto in 
/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6
PHP Warning:  fopen(https://cas.ucdavis.edu/login): failed to open stream: 
operation failed in /home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 
6
https://cas.ucdavis.edu/login - FAIL
PHP Warning:  fclose() expects parameter 1 to be resource, boolean given in 
/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 14
PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1407741A:SSL routines:func(119):reason(1050) in 
/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6
PHP Warning:  fopen(): Failed to enable crypto in 
/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6
PHP Warning:  fopen(https://server.db.kvk.nl/): failed to open stream: operation 
failed in /home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6
https://server.db.kvk.nl/ - FAIL
PHP Warning:  fclose() expects parameter 1 to be resource, boolean given in 
/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 14
https://gmail.com/ - OK 19061 bytes


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-03 10:14 UTC] aharvey@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: aharvey
 [2010-12-03 10:34 UTC] aharvey@php.net
Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=305936
Log: Implemented FR #53447 (Cannot disable SessionTicket extension for servers that
do not support it).

I haven't written a test due to the need for such a test to have a HTTPS server
available which mishandles SessionTicket requests; it's likely that server
administrators will gradually fix this either intentionally or through OpenSSL
upgrades. That said, if there's a great clamoring for a test, I'll work one up.
 [2010-12-03 10:34 UTC] aharvey@php.net
-Status: Assigned +Status: Suspended -Type: Bug +Type: Feature/Change Request
 [2010-12-03 10:34 UTC] aharvey@php.net
Implemented on trunk via a no_ticket SSL context option. This is a
reasonable candidate for 5.3, but I'm not going to push this through
while we're in the midst of a release cycle, so I'll suspend this for
now and come back to it once 5.3.4 is out.
 [2010-12-13 09:29 UTC] aharvey@php.net
Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=306335
Log: MFH: implement FR #53447 (Cannot disable SessionTicket extension for servers
that do not support it). Includes Tony's subsequent commit to fix a segfault.
 [2010-12-13 09:29 UTC] aharvey@php.net
-Status: Suspended +Status: Closed
 [2010-12-13 09:29 UTC] aharvey@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Merged to 5.3.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 15:01:54 2014 UTC