php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #63519 Incorrect handle of HTTPS request through proxy using SNI
Submitted: 2012-11-14 17:22 UTC Modified: -
Votes:15
Avg. Score:4.1 ± 1.0
Reproduced:13 of 14 (92.9%)
Same Version:2 (15.4%)
Same OS:1 (7.7%)
From: marco at csita dot unige dot it Assigned:
Status: Open Package: Streams related
PHP Version: 5.3.18 OS:
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-11-14 17:22 UTC] marco at csita dot unige dot it
Description:
------------
The http wrapper allow streams to access to remote file using the HTTPS (HTTP over SSL/TLS) protocol and supports passing request through HTTP proxy.

Unfortunately, SSL-related options and HTTP proxy option are handled by different contexts, unaware each of the other. Thus, from the point of view of SSL, the stream is connected to the proxy, while from the point of view of HTTP the stream is connected to the remote web server.

Using default setting, this produces a mismatch between the value in the SNI_server_name indicator, which reports the proxy host name, and the HTTP header Host:, which reports the web server host name. As result, web servers with support for SNI handle incorrectly the request or (e.g. Apache) raise a 400 error. 



Test script:
---------------
Suppose you need to access to the remote URL https://www.example.com/ using the proxy proxy.example.com

This is the code fragment:

$path = 'https://www.example.com/';

$opts = array(
  'http' => array(
    'method' => 'GET',
    'proxy' => 'tcp://proxy.example.com:8080',
  )
);

$context = stream_context_create($opts);
$fp = fopen($path, 'r', false, $context);
$meta = stream_get_meta_data($fp);
print_r($meta);
fclose($fp);



Expected result:
----------------
It would advisable that the stream module could detect and handle automatically this situation.

A workaround is to explicitly set the web server host name in the SNI field:

$path = 'https://www.example.com/';
$hostname = parse_url($path, PHP_URL_HOST);

$opts = array(
  'http' => array(
    'method' => 'GET',
    'proxy' => 'tcp://proxy.example.com:8080',
  ),
  'ssl' => array(
    'SNI_server_name' => $hostname,
    'SNI_enabled' => TRUE,
  )
);


Actual result:
--------------
If the web server is an Apache httpd 2.2.12 or later , it results:

Array
(
    [wrapper_data] => Array
        (
            [0] => HTTP/1.1 400 OK
...

with a line such as:

[Thu Nov ...] [error] Hostname proxy.example.com provided via SNI and hostname www.example.com provided via HTTP are different

in the error log of the web server.
The behaviour of other web server implementations can vary.

If you have not an access to a Apache web server configured to use SNI, you can emulate a web server using a recent OpenSSL with self-signed certificates and starting with command:

C:\>openssl s_server -key server.key -cert server.crt -accept 8443 -www -tlsextdebug

The value in the SNI field will be well recognizable in the dump.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-14 13:56 UTC] samuel dot vogel at viison dot com
Setting 'SNI_enabled' in the stream context is also a workaround if it's not required by the server.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC