php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54992 Stream not closed and error not returned when SSL CN_match fails
Submitted: 2011-06-04 14:10 UTC Modified: 2011-06-08 02:25 UTC
From: laird_ngrps at dodo dot com dot au Assigned: cataphract
Status: Closed Package: Streams related
PHP Version: 5.3.6 OS: Linux
Private report: No CVE-ID:
 [2011-06-04 14:10 UTC] laird_ngrps at dodo dot com dot au
Description:
------------
When the CN_match stream context option is specified for an SSL stream opened 
with stream_socket_client(), if the CN supplied does not match, then the stream 
connection does not fail and does not return an error as it should.

After the supplied patch was applied, the stream socket returned an error as 
expected; the output then was (I haven't delved deep enough into the code to 
work out how to set a meaningful error message and error number with the patch; 
all values in square brackets are my edits for privacy; line 17 is that of the 
call to stream_socket_client()):

Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match 
expected CN=`TempCert.bad' in [filepath] on line 17

Warning: stream_socket_client(): Failed to enable crypto in [filepath] on line 
17

Warning: stream_socket_client(): unable to connect to ssl://[ipaddress]:[port] 
(Unknown error) in [filepath] on line 17
SSL socket connection error: "" (0)

--------

I've checked and this bug seems to also apply to the current versions of the PHP 
source in the subversion repositories.

Test script:
---------------
	/* First set $server, $port and $cafile */

	$context = stream_context_create(array('ssl' => array(
		'verify_peer'       => true,
		'cafile'            => $cafile,
		'CN_match'          => 'TempCert.bad',
	)));

	$sock = stream_socket_client("ssl://$server:$port", $errno, $errstr, 5, STREAM_CLIENT_CONNECT, $context);
	if ($sock === false) die("SSL socket connection error: \"$errstr\" ($errno)\n");
	$msg = "A test message";
	if (fputs($sock, "$msg<EOF>\n") === false) echo "fputs returned false\n";
	else {
		echo "SENT:: $msg\n";
		$line = fgets($sock);
		echo "RCVD:: $line\n";
	}
	fclose($sock);


Expected result:
----------------
SSL socket connection error: "[some error message indicating that the CN failed 
to match]" ([some error number])

Actual result:
--------------
Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match 
expected CN=`TempCert.bad' in [filepath] on line 17
SENT:: A test message
RCVD:: [a bunch of random characters, different each time]

Patches

xp_ssl_patch (last revision 2011-06-04 12:11 UTC) by laird_ngrps at dodo dot com dot au)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-04 14:20 UTC] laird_ngrps at dodo dot com dot au
I should probably add that when I provide the correct CN, this is the output that 
I get both pre-patching and post-patching:

SENT:: A test message
RCVD:: Hello from the server.<EOF>
 [2011-06-05 03:18 UTC] cataphract@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: cataphract
 [2011-06-08 02:23 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311906
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match
  fails.
 [2011-06-08 02:25 UTC] cataphract@php.net
-Status: Assigned +Status: Closed
 [2011-06-08 02:25 UTC] cataphract@php.net
Fixed. Thank you.
 [2012-04-18 09:50 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b72c6e7dffca1c3d4ec33e33ac24512cf1dc2d2
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match   fails.
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b72c6e7dffca1c3d4ec33e33ac24512cf1dc2d2
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match   fails.
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b72c6e7dffca1c3d4ec33e33ac24512cf1dc2d2
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match   fails.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 05:03:19 2014 UTC