PHP :: Bug #73388 :: STREAM_CRYPTO_METHOD_TLS_CLIENT restricted to TLS1.0 only

Bug #73388

STREAM_CRYPTO_METHOD_TLS_CLIENT restricted to TLS1.0 only

Submitted:

2016-10-26 07:48 UTC

Modified:

2017-07-30 17:54 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

arjen at parse dot nl

Assigned:

bukka (profile)

Status:

Closed

Package:

OpenSSL related

PHP Version:

7.0.12

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2016-10-26 07:48 UTC] arjen at parse dot nl

Description:
------------
In 5.6 some openssl improvements were made: http://php.net/manual/en/migration56.openssl.php

The changelog mentions STREAM_CRYPTO_METHOD_TLS_CLIENT as constant for any TLS version.

Because of BC, this was reverted in https://bugs.php.net/bug.php?id=69195

STREAM_CRYPTO_METHOD_TLS_CLIENT is now TLSv1.0 only, while STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

(see http://php.net/manual/en/function.stream-socket-enable-crypto.php#119122)

We started using the STREAM_CRYPTO_METHOD_TLS_CLIENT constant with 5.6.0 and now found out we couldn't connect to a service only supporting TLS v1.1 and v1.2 So by following the changelog and using a TLS_CLIENT specific constant, we ended up in a situation with WORSE TLS version support...

A quick search on github on STREAM_CRYPTO_METHOD_TLS_CLIENT language:PHP returns 207,607 occurrences, while STREAM_CRYPTO_METHOD_SSLv23_CLIENT returns 28,956 results.

Solution: STREAM_CRYPTO_METHOD_TLS_CLIENT should also enable STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-10-26 07:56 UTC] arjen at parse dot nl

And the STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT constant created in https://github.com/php/php-src/commit/10bc5fd4c4c8e1dd57bd911b086e9872a56300a0 should be exposed as constant in userland in https://github.com/php/php-src/blob/6053987bc27e8dede37f437193a5cad448f99bce/ext/standard/file.c#L223

[2016-10-26 09:11 UTC] kalle@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: rdlowrey

[2016-10-26 09:11 UTC] kalle@php.net

It seems reasonable to expose this constant, assigning it to you Daniel as you did the bug fix commit back then :)

[2016-10-26 09:42 UTC] arjen at parse dot nl

STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT should be exposed and should match all future TLS version (like 1.3).

AND the existing STREAM_CRYPTO_METHOD_TLS_CLIENT should be updated to include STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT (and possibly no future TLS versions). Just like STREAM_CRYPTO_METHOD_SSLv23_CLIENT got it added in 5.6.7.

Why add it to the STREAM_CRYPTO_METHOD_SSLv23_CLIENT constant and not STREAM_CRYPTO_METHOD_TLS_CLIENT? It makes no sense. People upgrading their code from SSLv23_CLIENT (sounds pretty old) to TLS_CLIENT get worse protocol support.


STREAM_CRYPTO_METHOD_TLS_CLIENT

PHP 		TLS 1.0		TLS 1.1 	TLS 1.2		SSL23
5.5.x:		+		no supported 	not supported	-
5.6.0-5.6.6	+		+		+		-
5.6.7-		+		-		-		-


STREAM_CRYPTO_METHOD_SSLv23_CLIENT

PHP 		TLS 1.0		TLS 1.1 	TLS 1.2		SSL23
5.5.x:		+		no supported 	not supported	+
5.6.0-5.6.6	-		-		-		+
5.6.7-		+		+		+		-

[2016-11-02 08:35 UTC] bwoebi@php.net

I fundamentally agree here.

We cannot change STREAM_CRYPTO_METHOD_SSLv23_CLIENT due to it meaning worse support, but I suppose we're safe changing STREAM_CRYPTO_METHOD_TLS_CLIENT (and the _SERVER counterpart) to any TLS version.

At that point adding STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT is useless.

What I would recommend however, is a constant for each TLS version supporting that version *and all higher versions*.

I.e.

STREAM_CRYPTO_METHOD_MINIMUM_TLSv1_0_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
STREAM_CRYPTO_METHOD_MINIMUM_TLSv1_1_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
STREAM_CRYPTO_METHOD_MINIMUM_TLSv1_2_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

And when TLSv1.3 gets added, it automatically is added to these constants. Which is what you typically want, I think.

[2016-11-02 11:53 UTC] arjen at parse dot nl

I don't think introducing more constants makes it safer..

If STREAM_CRYPTO_METHOD_MINIMUM_TLSv1_0_CLIENT is created and TLSv1_0 is considered insecure, what would happen to the constant? Modified to NOT include v1_0? Dropped?

If we define STREAM_CRYPTO_METHOD_TLS_CLIENT as the 'recommended/safe set of TLS versions', new TLS versions (1.3) can be added and once TLS 1.0 is considered insecure it can be removed. Like what has been done to STREAM_CRYPTO_METHOD_SSLv23_CLIENT, but without the confusing name.

If a developer wants to explicitly choose which versions to support, he should create his own constant with a combination of STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

Changes to the STREAM_CRYPTO_METHOD_TLS_CLIENT constant should be mentioned in the CHANGES file, so developers could choose to pick their own set of versions.

[2017-04-28 15:19 UTC] bukka@php.net

-Assigned To: rdlowrey +Assigned To: bukka

[2017-04-28 15:19 UTC] bukka@php.net

I'm re-assigning to myself as Daniel seems to be inactive and this has also relation to OpenSSL 1.1 upgrade where single protocol specification is deprecated. I would really like to move completely away from the crypto_method API (at least inernally we will have to). I think there also is an issue with protocol holes like skipping 1.1 if you specify just 1.0 and 1.2 for example which might cause some issues.

What I think we should do is to just specify min and max protocol version. It means using

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

in OpenSSL 1.1 and backport the behaviour to 1.0.{1,2} (just using set of crypto methods). 

From the user point of view I would imagine introducing two new stream context options - min_proto and max_proto. We could still support crypto_method for a while (we should however warn about protocol holes) and going forward deprecate it as well as deprecate specific protocol streams - tlsv1.0 and so on and keep just tls and ssl.

[2017-07-30 17:54 UTC] bukka@php.net

-Status: Assigned +Status: Closed

[2017-07-30 17:54 UTC] bukka@php.net

This has been addressed by https://wiki.php.net/rfc/improved-tls-constants which is part of 7.2

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 07:01:27 2024 UTC