php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74888 Timeout never or randomly reached for TLS sockets
Submitted: 2017-07-09 21:20 UTC Modified: 2017-07-11 08:36 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: mmn at hethane dot se Assigned:
Status: Not a bug Package: Streams related
PHP Version: 7.2.0alpha3 OS: Ubuntu 16.04
Private report: No CVE-ID:
 [2017-07-09 21:20 UTC] mmn at hethane dot se
Description:
------------
Hello I am using the PEAR HTTP_Request2 library in the software GNU social to make remote requests. I have noticed recently a "malicious" remote server in our federated network that simply replies _extremely_ slowly_ it seems.

This causes our background processes - which run in PHP - to stall whenever connecting to these remote servers. For this reason, PHP has the default_socket_timeout=60, which should cause connections to die relatively quickly (at least with double that specified timeout in seconds, according to bug #48280 at least).

However, this does not seem to happen. The server in this case manages to keep alive connections with socket timeout of 2 seconds for much longer than that. I don't know if it is related to the timeout value - but it does _seem_ to be proportionate to the configured timeout (2 second timeouts die faster than 10 second timeouts etc.).

With HTTP_Request2 this _only_ happens with the Socket adapter and not the Curl adapter (which flawlessly hits the timeout on the millisecond) which leads me to believe it's the underlying PHP sockets that have an issue here.


I'm thinking it could be related to bug #41631 that seems to have been a long-living issue with TLS connections not respecting the socket timeout? This has so far only been experienced in HTTPS connections in GNU social at least.

The below test script uses HTTP_Request2 as mentioned, https://pear.php.net/package/HTTP_Request2 (maybe requires some other PEAR stuff too)

Test script:
---------------
require('HTTP/Request2.php');
$r = new HTTP_Request2();
$r->setConfig(['connect_timeout'=>1, 'timeout'=>2]);
$r->setMethod($r::METHOD_POST);
foreach(['Thanks-For-Debugging: Really like it.'] as $header) { $r->setHeader($header); }
$r->setUrl('https://hash.my/api/subscriptions/1234');
$time=time(); echo "$time\n"; try {$r->send();} catch(Exception $e){echo get_class($e).': '.$e->getMessage();} echo "\nIt actually took: ".(time()-$time)." seconds\n";

Expected result:
----------------
HTTP_Request2_MessageException: Request timed out after 2 second(s)
It actually took: 2 seconds

Actual result:
--------------
HTTP_Request2_MessageException: Request timed out after 2 second(s)
It actually took: 48 seconds



(Note that the value where it says "after n second(s)" is just HTTP_Request2 reporting it like that because it was my configured, desired, value.)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-10 19:40 UTC] mmn at hethane dot se
It seems that this was a bug in HTTP_Request2 because they use 'fgets' instead of 'fread'!

Apologies for the disturbance. .)
 [2017-07-10 19:41 UTC] mmn at hethane dot se
-Status: Open +Status: Closed
 [2017-07-10 19:41 UTC] mmn at hethane dot se
closing as it was a bug in HTTP_Request2_SocketWrapper
 [2017-07-11 08:36 UTC] requinix@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC