php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74688 SSL stream errors are not exposed by error_get_last()
Submitted: 2017-06-01 11:54 UTC Modified: 2021-01-14 12:52 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bilge at scriptfusion dot com Assigned:
Status: Verified Package: HTTP related
PHP Version: 5.6.30 OS: Linux 2.6.32-642.6.2.el6.x86_64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-06-01 11:54 UTC] bilge at scriptfusion dot com
Description:
------------
Using file_get_contents() in an object oriented application can be perilous since it emits errors and warnings directly. We would prefer to silence the call, check the return value and if it's false retrieve the error message. e.g. if (false === @file_get_contents(...)) { $error = error_get_last(); }.

This strategy works well for HTTP calls but when one throws SSL into the mix the errors returned by error_get_last() are different from the ones emitted directly by file_get_contents(). More specifically, the errors become vague and unhelpful. The real details of the failure can only be seen by removing the silence operator (@) and thus this is the crux of the bug: it is not possible to see SSL errors in an object oriented environment.

N.B. Calling openssl_error_string() just returns false.

---
For example, the test script below outputs a general failure message such as:

"file_get_contents(https://[::1]:6666): failed to open stream: Connection refused"

However, since we are using a self-signed certificate, removing the silence operator yields a much more useful error message from OpenSSL:

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problem is PHP provides no way to capture this output from OpenSSL.

Test script:
---------------
if (false === $response = @file_get_contents(
    'https://[::1]:6666',
    false,
    stream_context_create([
        'http' => ['ignore_errors' => true],
    ])
)) {
    echo error_get_last()['message']; // file_get_contents(https://[::1]:6666): failed to open stream: Connection refused
    var_dump(openssl_error_string()); // bool(false)
    // We can't see the real error that occurred in the OpenSSL subsystem.
}




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-13 18:32 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-01-13 18:32 UTC] cmb@php.net
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-01-13 21:03 UTC] bilge at scriptfusion dot com
-Status: Feedback +Status: Assigned
 [2021-01-13 21:03 UTC] bilge at scriptfusion dot com
Probably.
 [2021-01-14 12:47 UTC] cmb@php.net
-Status: Assigned +Status: Verified -Assigned To: cmb +Assigned To:
 [2021-01-14 12:47 UTC] cmb@php.net
Confirmed for PHP 7.4 and 8.0.

The culprit is that SSL transports report errors directly, instead
of logging them to the stream wrapper error queue.  I don't think
that can be changed in stable versions for BC reasons, though.

openssl_error_string() is irrelevant for these errors, since SSL
transport errors are not supposed to be reported by that function
anyway.
 [2021-01-14 12:52 UTC] bilge at scriptfusion dot com
What is the resolution, then? Does it get fixed targeting 9.0, or do we add openssl_transport_error_string()? Both seem like pretty poor solutions to me.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Sep 16 10:03:36 2021 UTC