php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54992 Stream not closed and error not returned when SSL CN_match fails
Submitted: 2011-06-04 14:10 UTC Modified: 2011-06-08 02:25 UTC
From: laird_ngrps at dodo dot com dot au Assigned: cataphract (profile)
Status: Closed Package: Streams related
PHP Version: 5.3.6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2011-06-04 14:10 UTC] laird_ngrps at dodo dot com dot au 
Description:
------------
When the CN_match stream context option is specified for an SSL stream opened 
with stream_socket_client(), if the CN supplied does not match, then the stream 
connection does not fail and does not return an error as it should.

After the supplied patch was applied, the stream socket returned an error as 
expected; the output then was (I haven't delved deep enough into the code to 
work out how to set a meaningful error message and error number with the patch; 
all values in square brackets are my edits for privacy; line 17 is that of the 
call to stream_socket_client()):

Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match 
expected CN=`TempCert.bad' in [filepath] on line 17

Warning: stream_socket_client(): Failed to enable crypto in [filepath] on line 
17

Warning: stream_socket_client(): unable to connect to ssl://[ipaddress]:[port] 
(Unknown error) in [filepath] on line 17
SSL socket connection error: "" (0)

--------

I've checked and this bug seems to also apply to the current versions of the PHP 
source in the subversion repositories.

Test script:
---------------
	/* First set $server, $port and $cafile */

	$context = stream_context_create(array('ssl' => array(
		'verify_peer'       => true,
		'cafile'            => $cafile,
		'CN_match'          => 'TempCert.bad',
	)));

	$sock = stream_socket_client("ssl://$server:$port", $errno, $errstr, 5, STREAM_CLIENT_CONNECT, $context);
	if ($sock === false) die("SSL socket connection error: \"$errstr\" ($errno)\n");
	$msg = "A test message";
	if (fputs($sock, "$msg<EOF>\n") === false) echo "fputs returned false\n";
	else {
		echo "SENT:: $msg\n";
		$line = fgets($sock);
		echo "RCVD:: $line\n";
	}
	fclose($sock);


Expected result:
----------------
SSL socket connection error: "[some error message indicating that the CN failed 
to match]" ([some error number])

Actual result:
--------------
Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match 
expected CN=`TempCert.bad' in [filepath] on line 17
SENT:: A test message
RCVD:: [a bunch of random characters, different each time]

Patches

xp_ssl_patch (last revision 2011-06-04 12:11 UTC by laird_ngrps at dodo dot com dot au)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-04 14:20 UTC] laird_ngrps at dodo dot com dot au 
I should probably add that when I provide the correct CN, this is the output that 
I get both pre-patching and post-patching:

SENT:: A test message
RCVD:: Hello from the server.<EOF>
 [2011-06-05 03:18 UTC] cataphract@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: cataphract
 [2011-06-08 02:23 UTC] cataphract@php.net 
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311906
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match
  fails.
 [2011-06-08 02:25 UTC] cataphract@php.net
-Status: Assigned +Status: Closed
 [2011-06-08 02:25 UTC] cataphract@php.net 
Fixed. Thank you.
 [2012-04-18 09:50 UTC] laruence@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b72c6e7dffca1c3d4ec33e33ac24512cf1dc2d2
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match   fails.
 [2012-07-24 23:41 UTC] rasmus@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b72c6e7dffca1c3d4ec33e33ac24512cf1dc2d2
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match   fails.
 [2013-11-17 09:37 UTC] laruence@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b72c6e7dffca1c3d4ec33e33ac24512cf1dc2d2
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL CN_match   fails.
 [2014-07-13 21:01 UTC] eexe42 at gmail dot com 
if ( ! $sock ) die ("Connection error");
 [2014-07-13 21:02 UTC] eexe42 at gmail dot com 
if ( ! $sock ) die ("Connection error");
 [2016-12-08 19:13 UTC] spam2 at rhsoft dot net 
Related To: Bug #73609
 [2017-02-01 13:17 UTC] spam2 at rhsoft dot net 
Related To: Bug #73609
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC