php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75086 steam_socket_enable_crypto ignores verify_peer, verify_peer_name and allow_self
Submitted: 2017-08-17 12:37 UTC Modified: 2017-08-27 06:28 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: root dot talis at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.1.8 OS: Elementary OS 0.4.1 Loki
Private report: No CVE-ID:
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: root dot talis at gmail dot com
New email:
PHP Version: OS:

 

 [2017-08-17 12:37 UTC] root dot talis at gmail dot com
Description:
------------
I try to call stream_socket_enable_crypto() on an open connection with a self-signed certificate.
verify_peer is disabled, verify_peer_name is disabled, allow_self_signed is enabled,
but PHP throws the following warning:

"stream_socket_enable_crypto(): Unable to set local cert chain file `/tmp/admin.crt';
Check that your cafile/capath settings include details of your certificate and its issuer"


PHP is installed from this repository: https://launchpad.net/~ondrej/+archive/ubuntu/php
Unfortunately, I haven't found any information about the compile configure line.
I believe that the PPA maintainer can provide this information.

My setup:
  PHP version:     PHP 7.1.8-2+ubuntu16.04.1+deb.sury.org+4 (cli)
                   (built: Aug 4 2017 13:04:12) ( NTS )
  OS:              Elementary OS 0.4.1 Loki (based on Ubuntu Xenial) 
  OpenSSL version: OpenSSL 1.1.0f 25 May 2017

This is what my certificate metadata looks like (actual values replaced):

```
Bag Attributes
    localKeyID: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 
subject=/C=RU/ST=Moscow/O=Removed/OU=Removed/CN=Removed/emailAddress=removed@example.com
issuer=/C=RU/ST=Moscow/L=Moscow/O=Removed/OU=Removed/CN=www.example.org/emailAddress=removed@example.com
-----BEGIN CERTIFICATE-----
[certificate goes here]
```

I have reported this bug to the PPA bug tracker, and it's maintainer requested me to report this bug here.
Original report URL: https://github.com/oerdnj/deb.sury.org/issues/661

Test script:
---------------
<?php
$address = gethostbyname('localhost');
$port = 443; // put any open port on any host here

$context = stream_context_create();
stream_context_set_option($context, 'ssl', 'capture_peer_cert', true);
stream_context_set_option($context, 'ssl', 'local_cert', __DIR__.'/admin.crt');
stream_context_set_option($context, 'ssl', 'passphrase', 'yourCertPassword');
stream_context_set_option($context, 'ssl', 'ciphers', 'SSLv3');
stream_context_set_option($context, 'ssl', 'verify_peer', false);
stream_context_set_option($context, 'ssl', 'verify_peer_name', false);
stream_context_set_option($context, 'ssl', 'allow_self_signed', true);

$errno = null; $errstr = null;
$socket = stream_socket_client("tcp://$address:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);

stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);

Expected result:
----------------
Given that the certificate is correct, I expect no warnings to be thrown.

Actual result:
--------------
/usr/bin/php7.1 /tmp/test.php
PHP Warning:  stream_socket_enable_crypto(): Unable to set local cert chain file `/tmp/admin.crt'; Check that your cafile/capath settings include details of your certificate and its issuer in /tmp/test.php on line 17
PHP Stack trace:
PHP   1. {main}() /tmp/test.php:0
PHP   2. stream_socket_enable_crypto() /tmp/test.php:17

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-17 12:47 UTC] kelunik@php.net
Uhm, why do you set stream_context_set_option($context, 'ssl', 'ciphers', 'SSLv3')?

It's pretty likely that the other side will not accept any of these, see https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for a list of ciphers that 'SSLv3' includes.

What happens if you remove that line? Might be that it's just showing the wrong error message.
 [2017-08-17 12:52 UTC] daverandom@php.net
-Status: Open +Status: Feedback
 [2017-08-17 12:52 UTC] daverandom@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


Please note that the error in question is generated by the local_cert option and not by verify_peer, verify_peer_name or allow_self_signed, see https://lxr.room11.org/xref/php-src%407.1/ext/openssl/xp_ssl.c#905 - if this step fails during initialisation of the SSL context, it will fail early before attempting to initiate the SSL layer.

Please verify that your certificate file is in a format that is accepted by SSL_CTX_use_certificate_chain_file() per https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate_chain_file.html, it must be PEM encoded.
 [2017-08-18 09:01 UTC] root dot talis at gmail dot com
> Uhm, why do you set stream_context_set_option($context, 'ssl', 'ciphers', 'SSLv3')?
> 
> It's pretty likely that the other side will not accept any of these, see https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for a list of ciphers that 'SSLv3' includes.
> 
> What happens if you remove that line? Might be that it's just showing the wrong error message.

Thank you for your reply!

Nothing changes if I remove that line, I still get the same warning. This code works on PHP 7.1.3 with that line in place.
 [2017-08-18 09:35 UTC] kelunik@php.net
Does your actual certificate file include that meta data at the beginnig?

Bag Attributes
    localKeyID: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 
subject=/C=RU/ST=Moscow/O=Removed/OU=Removed/CN=Removed/emailAddress=removed@example.com
issuer=/C=RU/ST=Moscow/L=Moscow/O=Removed/OU=Removed/CN=www.example.org/emailAddress=removed@example.com


If so, please remove it and retry.
 [2017-08-18 09:43 UTC] root dot talis at gmail dot com
> Does your actual certificate file include that meta data at the beginnig?
> 
> Bag Attributes
>     localKeyID: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 
subject=/C=RU/ST=Moscow/O=Removed/OU=Removed/CN=Removed/emailAddress=removed@example.com
> issuer=/C=RU/ST=Moscow/L=Moscow/O=Removed/OU=Removed/CN=www.example.org/emailAddress=removed@example.com
> 
> 
> If so, please remove it and retry.

Yes, it does. Removing the data didn't help.
 [2017-08-21 08:57 UTC] root dot talis at gmail dot com
I managed to make a build of PHP-7.1.8 with OpenSSL 1.0.2g instead of 1.1.0f that doesn't have this issue.
 [2017-08-27 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2017-08-27 06:28 UTC] requinix@php.net
-Status: No Feedback +Status: Open
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC