php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #65329 PHP doesnot support TLSv1.1 and TLSv1.2
Submitted: 2013-07-25 03:39 UTC Modified: 2014-07-23 15:54 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: yqbjtu at 163 dot com Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.5.1 OS: All
Private report: No CVE-ID: None
View Developer Edit
 [2013-07-25 03:39 UTC] yqbjtu at 163 dot com 
Description:
------------
When I used stream_socket_client method to connect a server,which enabled the TLSv1.2, my php have 100% CPU usage, but can't connect to the server.  I checked the stream_get_transports();,found that PHP only supports the tcp [1] => udp [2] => ssl [3] => sslv3 [4] => sslv2 [5] => tls.  

I checked the source code, found that it does not support TLSv1.1 and TLSv1.2.

I found it is very simple to support TLSv1.2, if possible, I can do it.
----------------------------the following is the supported protocols:
  C:\E\download\php-5.5.1-src\php-5.5.1-src\ext\openssl\openssl.c (5 hits)
	Line 1157: 	php_stream_xport_register("ssl", php_openssl_ssl_socket_factory TSRMLS_CC);
	Line 1158: 	php_stream_xport_register("sslv3", php_openssl_ssl_socket_factory TSRMLS_CC);
	Line 1160: 	php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
	Line 1162: 	php_stream_xport_register("tls", php_openssl_ssl_socket_factory TSRMLS_CC);
	Line 1165: 	php_stream_xport_register("tcp", php_openssl_ssl_socket_factory TSRMLS_CC);
	
	
	
	you can see 
	in php_stream *php_openssl_ssl_socket_factory method (src\ext\openssl\xp_ssl.c)
		if (strncmp(proto, "ssl", protolen) == 0) {
		sslsock->enable_on_connect = 1;
		sslsock->method = STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
	} else if (strncmp(proto, "sslv2", protolen) == 0) {
#ifdef OPENSSL_NO_SSL2
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
		return NULL;
#else
		sslsock->enable_on_connect = 1;
		sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
#endif
	} else if (strncmp(proto, "sslv3", protolen) == 0) {
		sslsock->enable_on_connect = 1;
		sslsock->method = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
	} else if (strncmp(proto, "tls", protolen) == 0) {
		sslsock->enable_on_connect = 1;
		sslsock->method = STREAM_CRYPTO_METHOD_TLS_CLIENT;
	}
	
	STREAM_CRYPTO_METHOD_TLS_CLIENT definition is as following.
	
	case STREAM_CRYPTO_METHOD_TLS_CLIENT:
			sslsock->is_client = 1;
			method = TLSv1_client_method();
			break;
			

	========================================
	There are some methods in openssl openssl\ssl.h
	TLSv1_1_client_method(void);	/* TLSv1.1 */
	TLSv1_2_client_method(void);  /* TLSv1.2 */


Expected result:
----------------
PHP does support TLSv1.1 and TLSv1.2

Actual result:
--------------
PHP does not support TLSv1.1 and TLSv1.2

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-26 00:33 UTC] yohgaki@php.net
-Status: Open +Status: Analyzed
 [2013-07-26 00:33 UTC] yohgaki@php.net 
TLSv1.0 is not good...
PHP should support TLSv1.2 (and 1.1)
 [2013-11-23 04:56 UTC] manu at netbsd dot org 
This simple patch would do it: if OpenSSL supports TLSv1.2 it defines SSL_TXT_TLSV1_2. Just detect that and use TLSv1.2 instead of TLSv1.0 if possible:  

--- php-5.5.6/ext/openssl/xp_ssl.c.orig
+++ php-5.5.6/ext/openssl/xp_ssl.c
@@ -345,5 +345,9 @@
                case STREAM_CRYPTO_METHOD_TLS_CLIENT:
                        sslsock->is_client = 1;
+#ifdef SSL_TXT_TLSV1_2
+                       method = TLSv1_2_client_method();
+#else
                        method = TLSv1_client_method();
+#endif
                        break;
                case STREAM_CRYPTO_METHOD_SSLv23_SERVER:
@@ -366,5 +370,9 @@
                case STREAM_CRYPTO_METHOD_TLS_SERVER:
                        sslsock->is_client = 0;
+#ifdef SSL_TXT_TLSV1_2
+                       method = TLSv1_2_server_method();
+#else
                        method = TLSv1_server_method();
+#endif
                        break;
                default:
 [2013-11-23 05:40 UTC] manu at netbsd dot org 
Um, I posted the patch too fast. 

It seems PHP is able to use TLSv1.2 without any modification. Just use a hostname prefixed with ssl:// instead of tls://. The former uses SSLv23_client_method() which is able to negociate TLSv1.2 (provided OpenSSL is recent enough) whereas the later uses TLSv1_client_method(), which does not negociate beyond TLSv1.0

Using ssl:// I have been able to have an unpatched PHP 5.3 client negociating ECDHE-RSA-AES256-GCM-SHA384, which as I understand is a TLSv1.2 only cipher. ssldump utility shows a clientHello version 3.3, which is TLSv1.2

IMO this request can be closed by just a documentation update.
 [2014-02-19 23:58 UTC] rdlowrey@php.net 
It is true that PHP can use TLSv1.1 and TLSv1.2 but *only* if the opposite party utilizes the broadly compatible SSLv23 "hello" method. This is a standard practice for clients and servers who desire widespread compatibility.

As of PHP 5.6 it is possible to negotiate TLS protocols using either the specific TLSv1.1 and TLSv1.2 methods or the broadly compatible SSLv23 method. Fine-grained protocol specification is available by passing the "crypto_method" bitmask as part of the SSL stream context. Alternatively, the following new stream wrappers are added in 5.6 to utilize the protocol specific methods:

- tlsv1.0://
- tlsv1.1://
- tlsv1.2://

The more frequent TLS limitation comes from the underlying OpenSSL libs used to build PHP's openssl extension. OpenSSL1.0.1 is required for TLS1.1 and TLS1.2 support. If your PHP was not built against this newer lib you won't have access to TLSv1.1 and TLSv1.2 regardless. You can verify the version against which your extension is built:

    print_r(OPENSSL_VERSION_TEXT);

You can read more about the TLS improvements arriving in PHP 5.6 here:

- https://wiki.php.net/rfc/tls-peer-verification
- https://wiki.php.net/rfc/improved-tls-defaults
 [2014-02-19 23:58 UTC] rdlowrey@php.net
-Assigned To: +Assigned To: rdlowrey
 [2014-07-23 15:54 UTC] rdlowrey@php.net
-Status: Analyzed +Status: Closed
 [2014-07-23 15:54 UTC] rdlowrey@php.net 
More robust TLS support is available as of 5.6. If the SSLv23 hello method (which supports TLS1.1/1.2 but may not be available from many peers) used in previous versions is insufficient an upgrade will be necessary.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 18:01:29 2024 UTC