php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #63519 Incorrect handle of HTTPS request through proxy using SNI
Submitted: 2012-11-14 17:22 UTC Modified: 2021-06-13 04:22 UTC
Votes:24
Avg. Score:3.8 ± 1.1
Reproduced:16 of 19 (84.2%)
Same Version:4 (25.0%)
Same OS:2 (12.5%)
From: marco at csita dot unige dot it Assigned: cmb (profile)
Status: No Feedback Package: Streams related
PHP Version: 5.3.18 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2012-11-14 17:22 UTC] marco at csita dot unige dot it 
Description:
------------
The http wrapper allow streams to access to remote file using the HTTPS (HTTP over SSL/TLS) protocol and supports passing request through HTTP proxy.

Unfortunately, SSL-related options and HTTP proxy option are handled by different contexts, unaware each of the other. Thus, from the point of view of SSL, the stream is connected to the proxy, while from the point of view of HTTP the stream is connected to the remote web server.

Using default setting, this produces a mismatch between the value in the SNI_server_name indicator, which reports the proxy host name, and the HTTP header Host:, which reports the web server host name. As result, web servers with support for SNI handle incorrectly the request or (e.g. Apache) raise a 400 error. 



Test script:
---------------
Suppose you need to access to the remote URL https://www.example.com/ using the proxy proxy.example.com

This is the code fragment:

$path = 'https://www.example.com/';

$opts = array(
  'http' => array(
    'method' => 'GET',
    'proxy' => 'tcp://proxy.example.com:8080',
  )
);

$context = stream_context_create($opts);
$fp = fopen($path, 'r', false, $context);
$meta = stream_get_meta_data($fp);
print_r($meta);
fclose($fp);



Expected result:
----------------
It would advisable that the stream module could detect and handle automatically this situation.

A workaround is to explicitly set the web server host name in the SNI field:

$path = 'https://www.example.com/';
$hostname = parse_url($path, PHP_URL_HOST);

$opts = array(
  'http' => array(
    'method' => 'GET',
    'proxy' => 'tcp://proxy.example.com:8080',
  ),
  'ssl' => array(
    'SNI_server_name' => $hostname,
    'SNI_enabled' => TRUE,
  )
);


Actual result:
--------------
If the web server is an Apache httpd 2.2.12 or later , it results:

Array
(
    [wrapper_data] => Array
        (
            [0] => HTTP/1.1 400 OK
...

with a line such as:

[Thu Nov ...] [error] Hostname proxy.example.com provided via SNI and hostname www.example.com provided via HTTP are different

in the error log of the web server.
The behaviour of other web server implementations can vary.

If you have not an access to a Apache web server configured to use SNI, you can emulate a web server using a recent OpenSSL with self-signed certificates and starting with command:

C:\>openssl s_server -key server.key -cert server.crt -accept 8443 -www -tlsextdebug

The value in the SNI field will be well recognizable in the dump.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-14 13:56 UTC] samuel dot vogel at viison dot com 
Setting 'SNI_enabled' in the stream context is also a workaround if it's not required by the server.
 [2021-06-02 16:25 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-02 16:25 UTC] cmb@php.net 
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-06-13 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 30 00:01:30 2024 UTC