php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #72717 ftp_ssl_connect doesn't validate certificates
Submitted: 2016-07-31 09:04 UTC Modified: 2016-08-16 10:23 UTC
From: fernando at null-life dot com Assigned: cmb (profile)
Status: Closed Package: FTP related
PHP Version: 7.0.9 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-07-31 09:04 UTC] fernando at null-life dot com 
Description:
------------
Description
============
ftp_ssl_connect will establish a connection even if the certificate is not valid for the supplied hostname. There's no way to force the verification of certificates while using ftp_ssl_connect, however certificates are verified when used with the ftps:// wrapper.

http://php.net/manual/en/function.ftp-ssl-connect.php

Test script:
---------------
<?php

error_reporting(E_ALL);
// ssl verification fails
echo file_get_contents("ftps://test:test@beford.net/www/index.php");

$ftp_server = "beford.net";
$ftp_user_name = "test";
$ftp_user_pass = "test";

// set up basic ssl connection
$conn_id = ftp_ssl_connect($ftp_server);

if ($conn_id  !== false) 
        print "ftp_ssl_connect should have failed too..." . PHP_EOL;
else
        die("ftp_ssl_connect failed");
var_dump($conn_id);
// close the ssl connection
ftp_close($conn_id);



Expected result:
----------------
PHP Warning:  file_get_contents(): Peer certificate CN=`asylum.dynamicwebsolutions.net' did not match expected CN=`beford.net' in /home/operac/ftpssl/x.php on line 5
PHP Warning:  file_get_contents(ftps://...@beford.net/www/index.php): failed to open stream: Unable to activate SSL mode in /home/operac/ftpssl/x.php on line 5
ftp_ssl_connect failed

Actual result:
--------------
PHP Warning:  file_get_contents(): Peer certificate CN=`asylum.dynamicwebsolutions.net' did not match expected CN=`beford.net' in /home/operac/ftpssl/x.php on line 5
PHP Warning:  file_get_contents(ftps://...@beford.net/www/index.php): failed to open stream: Unable to activate SSL mode in /home/operac/ftpssl/x.php on line 5
ftp_ssl_connect should have failed too...
resource(6) of type (FTP Buffer)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-02 08:15 UTC] stas@php.net
-Assigned To: +Assigned To: sesser
 [2016-08-02 08:15 UTC] stas@php.net 
Doesn't look like this needs to be private.
 [2016-08-16 08:08 UTC] stas@php.net
-Status: Assigned +Status: Open -Assigned To: sesser +Assigned To:
 [2016-08-16 09:43 UTC] cmb@php.net
-Status: Open +Status: Verified -Type: Security +Type: Documentation Problem -Assigned To: +Assigned To: cmb
 [2016-08-16 09:43 UTC] cmb@php.net 
This is expected behavior. ext/ftp implements the explicit
method[1] of FTPS, and so *connecting* does not require any
certificate validation. This will only happen when you try to
ftp_login(), in which case ext/ftp will send the AUTH command
(which is supposed to fail for the given test script).

I'm changing to doc bug, because that has to be documented, as a
user note[2] also hints at.

[1] <https://en.wikipedia.org/wiki/FTPS#Explicit>
[2] <http://php.net/manual/en/function.ftp-ssl-connect.php#106931>
 [2016-08-16 10:22 UTC] cmb@php.net 
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339891
Log: Fix #72717: ftp_ssl_connect doesn't validate certificates

That also integrates user note 106931.
 [2016-08-16 10:23 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2016-08-16 10:23 UTC] cmb@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 [2020-02-07 06:06 UTC] phpdocbot@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=221f0c17eeb602fdb40df87058658a5404c5badf
Log: Fix #72717: ftp_ssl_connect doesn't validate certificates
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Apr 29 13:01:30 2024 UTC