|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74688 SSL stream errors are not exposed by error_get_last()
Submitted: 2017-06-01 11:54 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bilge at scriptfusion dot com Assigned:
Status: Open Package: HTTP related
PHP Version: 5.6.30 OS: Linux 2.6.32-642.6.2.el6.x86_64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: bilge at scriptfusion dot com
New email:
PHP Version: OS:


 [2017-06-01 11:54 UTC] bilge at scriptfusion dot com
Using file_get_contents() in an object oriented application can be perilous since it emits errors and warnings directly. We would prefer to silence the call, check the return value and if it's false retrieve the error message. e.g. if (false === @file_get_contents(...)) { $error = error_get_last(); }.

This strategy works well for HTTP calls but when one throws SSL into the mix the errors returned by error_get_last() are different from the ones emitted directly by file_get_contents(). More specifically, the errors become vague and unhelpful. The real details of the failure can only be seen by removing the silence operator (@) and thus this is the crux of the bug: it is not possible to see SSL errors in an object oriented environment.

N.B. Calling openssl_error_string() just returns false.

For example, the test script below outputs a general failure message such as:

"file_get_contents(https://[::1]:6666): failed to open stream: Connection refused"

However, since we are using a self-signed certificate, removing the silence operator yields a much more useful error message from OpenSSL:

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problem is PHP provides no way to capture this output from OpenSSL.

Test script:
if (false === $response = @file_get_contents(
        'http' => ['ignore_errors' => true],
)) {
    echo error_get_last()['message']; // file_get_contents(https://[::1]:6666): failed to open stream: Connection refused
    var_dump(openssl_error_string()); // bool(false)
    // We can't see the real error that occurred in the OpenSSL subsystem.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Aug 09 12:01:23 2020 UTC