php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75086 steam_socket_enable_crypto ignores verify_peer, verify_peer_name and allow_self
Submitted: 2017-08-17 12:37 UTC Modified: 2018-08-27 15:30 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: root dot talis at gmail dot com Assigned: bukka (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: 7.1.8 OS: Elementary OS 0.4.1 Loki
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: root dot talis at gmail dot com
New email:
PHP Version: OS:

 

 [2017-08-17 12:37 UTC] root dot talis at gmail dot com
Description:
------------
I try to call stream_socket_enable_crypto() on an open connection with a self-signed certificate.
verify_peer is disabled, verify_peer_name is disabled, allow_self_signed is enabled,
but PHP throws the following warning:

"stream_socket_enable_crypto(): Unable to set local cert chain file `/tmp/admin.crt';
Check that your cafile/capath settings include details of your certificate and its issuer"


PHP is installed from this repository: https://launchpad.net/~ondrej/+archive/ubuntu/php
Unfortunately, I haven't found any information about the compile configure line.
I believe that the PPA maintainer can provide this information.

My setup:
  PHP version:     PHP 7.1.8-2+ubuntu16.04.1+deb.sury.org+4 (cli)
                   (built: Aug 4 2017 13:04:12) ( NTS )
  OS:              Elementary OS 0.4.1 Loki (based on Ubuntu Xenial) 
  OpenSSL version: OpenSSL 1.1.0f 25 May 2017

This is what my certificate metadata looks like (actual values replaced):

```
Bag Attributes
    localKeyID: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 
subject=/C=RU/ST=Moscow/O=Removed/OU=Removed/CN=Removed/emailAddress=removed@example.com
issuer=/C=RU/ST=Moscow/L=Moscow/O=Removed/OU=Removed/CN=www.example.org/emailAddress=removed@example.com
-----BEGIN CERTIFICATE-----
[certificate goes here]
```

I have reported this bug to the PPA bug tracker, and it's maintainer requested me to report this bug here.
Original report URL: https://github.com/oerdnj/deb.sury.org/issues/661

Test script:
---------------
<?php
$address = gethostbyname('localhost');
$port = 443; // put any open port on any host here

$context = stream_context_create();
stream_context_set_option($context, 'ssl', 'capture_peer_cert', true);
stream_context_set_option($context, 'ssl', 'local_cert', __DIR__.'/admin.crt');
stream_context_set_option($context, 'ssl', 'passphrase', 'yourCertPassword');
stream_context_set_option($context, 'ssl', 'ciphers', 'SSLv3');
stream_context_set_option($context, 'ssl', 'verify_peer', false);
stream_context_set_option($context, 'ssl', 'verify_peer_name', false);
stream_context_set_option($context, 'ssl', 'allow_self_signed', true);

$errno = null; $errstr = null;
$socket = stream_socket_client("tcp://$address:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);

stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);

Expected result:
----------------
Given that the certificate is correct, I expect no warnings to be thrown.

Actual result:
--------------
/usr/bin/php7.1 /tmp/test.php
PHP Warning:  stream_socket_enable_crypto(): Unable to set local cert chain file `/tmp/admin.crt'; Check that your cafile/capath settings include details of your certificate and its issuer in /tmp/test.php on line 17
PHP Stack trace:
PHP   1. {main}() /tmp/test.php:0
PHP   2. stream_socket_enable_crypto() /tmp/test.php:17

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-17 12:47 UTC] kelunik@php.net
Uhm, why do you set stream_context_set_option($context, 'ssl', 'ciphers', 'SSLv3')?

It's pretty likely that the other side will not accept any of these, see https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for a list of ciphers that 'SSLv3' includes.

What happens if you remove that line? Might be that it's just showing the wrong error message.
 [2017-08-17 12:52 UTC] daverandom@php.net
-Status: Open +Status: Feedback
 [2017-08-17 12:52 UTC] daverandom@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


Please note that the error in question is generated by the local_cert option and not by verify_peer, verify_peer_name or allow_self_signed, see https://lxr.room11.org/xref/php-src%407.1/ext/openssl/xp_ssl.c#905 - if this step fails during initialisation of the SSL context, it will fail early before attempting to initiate the SSL layer.

Please verify that your certificate file is in a format that is accepted by SSL_CTX_use_certificate_chain_file() per https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate_chain_file.html, it must be PEM encoded.
 [2017-08-18 09:01 UTC] root dot talis at gmail dot com
> Uhm, why do you set stream_context_set_option($context, 'ssl', 'ciphers', 'SSLv3')?
> 
> It's pretty likely that the other side will not accept any of these, see https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for a list of ciphers that 'SSLv3' includes.
> 
> What happens if you remove that line? Might be that it's just showing the wrong error message.

Thank you for your reply!

Nothing changes if I remove that line, I still get the same warning. This code works on PHP 7.1.3 with that line in place.
 [2017-08-18 09:35 UTC] kelunik@php.net
Does your actual certificate file include that meta data at the beginnig?

Bag Attributes
    localKeyID: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 
subject=/C=RU/ST=Moscow/O=Removed/OU=Removed/CN=Removed/emailAddress=removed@example.com
issuer=/C=RU/ST=Moscow/L=Moscow/O=Removed/OU=Removed/CN=www.example.org/emailAddress=removed@example.com


If so, please remove it and retry.
 [2017-08-18 09:43 UTC] root dot talis at gmail dot com
> Does your actual certificate file include that meta data at the beginnig?
> 
> Bag Attributes
>     localKeyID: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 
subject=/C=RU/ST=Moscow/O=Removed/OU=Removed/CN=Removed/emailAddress=removed@example.com
> issuer=/C=RU/ST=Moscow/L=Moscow/O=Removed/OU=Removed/CN=www.example.org/emailAddress=removed@example.com
> 
> 
> If so, please remove it and retry.

Yes, it does. Removing the data didn't help.
 [2017-08-21 08:57 UTC] root dot talis at gmail dot com
I managed to make a build of PHP-7.1.8 with OpenSSL 1.0.2g instead of 1.1.0f that doesn't have this issue.
 [2017-08-27 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2017-08-27 06:28 UTC] requinix@php.net
-Status: No Feedback +Status: Open
 [2018-08-27 15:30 UTC] bukka@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka
 [2018-08-27 15:30 UTC] bukka@php.net
I don't think this is a bug in PHP as it seems to me like the certificate is not  correctly formatted. Please note that OpenSSL 1.1 is a bit more strict on what is accepted which is a good thing IMO. You should see exactly the same result if you use openssl s_client so please make sure that it works first with the s_client from OpenSSL 1.1.

If you still think that it's an issue in PHP, please generate a new testing cert that is failing with PHP and works with s_client. Then I will be happy to re-open it.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 13:01:28 2024 UTC