|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69137 Peer verification fails when using a proxy with SoapClient
Submitted: 2015-02-27 11:12 UTC Modified: 2017-06-23 09:08 UTC
Avg. Score:4.6 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:0 (0.0%)
Same OS:4 (80.0%)
From: nj506 at zepler dot net Assigned: nikic (profile)
Status: Closed Package: SOAP related
PHP Version: 5.6.6 OS: All
Private report: No CVE-ID: None
 [2015-02-27 11:12 UTC] nj506 at zepler dot net
This is the same issue as presented in #67609 - but manifested in the SOAP extension. The SOAP extension uses it's own HTTP handling code (i.e. not http_fopen_wrapper.c where the issue was patched for #67609).

(i) The crypto method defaults to SSL v2/3 - - this causes problems when the SOAP endpoint only accepts TLS.

This can be worked around by setting 'ssl_method' to SOAP_SSL_METHOD_TLS in the options supplied to \SoapClient::__construct().

(ii) The name in the peer certificate, by default, is compared to the "url_name" of the SSL socket - - when a proxy is in use, this is the proxy host, not SOAP endpoint host.

This can be worked around by setting "verify_peer_name" to FALSE, or specifying the correct "peer_name" value in the SSL portion of stream context that can be supplied within in the "stream_context" option for \SoapClient::__construct().

By the way, the error raised by SOAP where peer verification fails is very generic, to the point that it is basically impossible to work out what exactly the problem is. I couldn't see anything in the Exception context that indicated the exact problem.

Test script:
$options = [
  'proxy_host' => '..',
  'proxy_port' => ..

$client = new \SoapClient($wsdl, $options);

Expected result:
Call succeeds

Actual result:
\SoapFault: Could not connect to host


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-10 12:49 UTC] nj506 at zepler dot net
I just wanted to add the following, as it may help people track down this issue:

An E_WARNING is triggered in this case, though the error_reporting value is set to exclude E_WARNING level errors (amongst others) here -

It is possible to observe the error with a customer error handler registered, however -  this resolves to something like:

"SoapClient::__doRequest(): Peer certificate CN=`' did not match expected CN=`'"

If you see this, and have a proxy set, then you probably are being affected by this bug.
 [2016-09-21 08:36 UTC] tom at netz98 dot de
I can confirm this problem. You need a SSL connection via a proxy to reproduce it. The exact error can be made visible by using your own error-handler before sending the SOAP request, e.g.

        function ($errno , $errstr, $errfile = null, $errline = null) {
                "ERROR #%d: %s in %s line %s\n", $errno, $errstr, 
                $errfile, $errline

This produces an error like:

> ERROR #2: SoapClient::__doRequest(): Peer certificate CN=`' did not match expected CN=`'

The SOAP Fault itself is little saying as reported:

> Fatal error: Uncaught SoapFault exception: [HTTP] Could not connect to host
 [2016-10-03 18:21 UTC] ksmiley at salesforce dot com
Patch with test case for the peer-name verification problem (against the 7.0 branch):

As for the first issue about SSL version, STREAM_CRYPTO_METHOD_SSLv23_CLIENT actually means highest available SSL/TLS version, up to TLSv1.2. It's a quirk of OpenSSL; see the description of SSLv23_method: STREAM_CRYPTO_METHOD_TLS_CLIENT will actually restrict the connection to TLSv1.0 only.
 [2016-12-11 21:19 UTC] p dot schulz at ibrams dot com
Could you please backport the patch to 5.6?
 [2017-06-23 09:08 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2017-06-23 09:08 UTC]
I believe this has been resolved by the aforementioned PR.

This will not be backported to 5.6, as it's no longer actively supported.
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Sep 21 05:01:25 2018 UTC