php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76196 proxied file_get_contents calls lag the cert check one behind for further calls
Submitted: 2018-04-08 11:25 UTC Modified: 2022-10-05 20:35 UTC
Votes:9
Avg. Score:4.2 ± 0.9
Reproduced:7 of 7 (100.0%)
Same Version:3 (42.9%)
Same OS:0 (0.0%)
From: php dot public at consistency dot at Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.1.16 OS: win7 & debian9
Private report: No CVE-ID: None
 [2018-04-08 11:25 UTC] php dot public at consistency dot at
Description:
------------
calling `file_get_contents` through a configured proxy to an ssl site will let the certificate check "lag" one behind.

with the first call of the `file_get_contents` the certificate for the requested site will be "locked in" for the next call. which will therefor fail.

so only the first call of `file_get_contents` will be successful, the rest will fail.

Test script:
---------------
<?php
$stream_default_opts = [
  'http' => [
    'proxy'=>"tcp://5.9.78.28:3128",
    'request_fulluri' => true,
  ]
];
stream_context_set_default($stream_default_opts);
file_get_contents("https://www.symfony.com", false); 
file_get_contents("https://getcomposer.org", false); 
file_get_contents("https://github.com", false); 

Actual result:
--------------
Warning: file_get_contents(): Peer certificate CN=`getcomposer.org' did not match expected CN=`www.symfony.com' in foo.php on line 11
Warning: file_get_contents(https://getcomposer.org): failed to open stream: Cannot connect to HTTPS server through proxy in foo.php on line 11

Warning: file_get_contents(): Peer certificate CN=`github.com' did not match expected CN=`www.symfony.com' in foo.php on line 12
Warning: file_get_contents(https://github.com): failed to open stream: Cannot connect to HTTPS server through proxy in foo.php on line 12

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-02 14:47 UTC] f at zuckschwerdt dot de
This seems to be related to WSDL caching. If the WSDL is cached already, everything works fine. As soon as the WSDL is missing and needs to be loaded first, this error occurs. Executing the same script a second time will then work without error. With the Soap_Client the bug can be enforced by setting the option 'cache_wsdl' to WSDL_CACHE_NONE. This way the WSDL is loaded every time and the bug will always kick in. With all OTHER WSDL_CACHE_* settings it will only kick in when the cert is not cached already.

The SSL cert will not only lag one request (to target service) behind but it will fail the whole script execution and only use the cert from the first file_get_contents call. A workaround to call the target service twice will not work. The only workaround is to only use one file_get_contents SSL domain call during one script execution.

Setting 'stream_context' > 'ssl' > 'verify_peer' and 'verify_peer_name' to false does not help!

Tested on PHP 7.0.30-0ubuntu0.16.04.1:
call to https SOAP service -> works always
call to different https SOAP service -> works only if WSDL is already cached
 [2022-10-05 20:35 UTC] bukka@php.net
-Package: Streams related +Package: OpenSSL related
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 02:01:27 2024 UTC