php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76196 proxied file_get_contents calls lag the cert check one behind for further calls
Submitted: 2018-04-08 11:25 UTC Modified: -
Votes:8
Avg. Score:4.4 ± 0.9
Reproduced:7 of 7 (100.0%)
Same Version:3 (42.9%)
Same OS:0 (0.0%)
From: php dot public at consistency dot at Assigned:
Status: Open Package: Streams related
PHP Version: 7.1.16 OS: win7 & debian9
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-04-08 11:25 UTC] php dot public at consistency dot at 
Description:
------------
calling `file_get_contents` through a configured proxy to an ssl site will let the certificate check "lag" one behind.

with the first call of the `file_get_contents` the certificate for the requested site will be "locked in" for the next call. which will therefor fail.

so only the first call of `file_get_contents` will be successful, the rest will fail.

Test script:
---------------
<?php
$stream_default_opts = [
  'http' => [
    'proxy'=>"tcp://5.9.78.28:3128",
    'request_fulluri' => true,
  ]
];
stream_context_set_default($stream_default_opts);
file_get_contents("https://www.symfony.com", false); 
file_get_contents("https://getcomposer.org", false); 
file_get_contents("https://github.com", false); 

Actual result:
--------------
Warning: file_get_contents(): Peer certificate CN=`getcomposer.org' did not match expected CN=`www.symfony.com' in foo.php on line 11
Warning: file_get_contents(https://getcomposer.org): failed to open stream: Cannot connect to HTTPS server through proxy in foo.php on line 11

Warning: file_get_contents(): Peer certificate CN=`github.com' did not match expected CN=`www.symfony.com' in foo.php on line 12
Warning: file_get_contents(https://github.com): failed to open stream: Cannot connect to HTTPS server through proxy in foo.php on line 12

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-02 14:47 UTC] f at zuckschwerdt dot de 
This seems to be related to WSDL caching. If the WSDL is cached already, everything works fine. As soon as the WSDL is missing and needs to be loaded first, this error occurs. Executing the same script a second time will then work without error. With the Soap_Client the bug can be enforced by setting the option 'cache_wsdl' to WSDL_CACHE_NONE. This way the WSDL is loaded every time and the bug will always kick in. With all OTHER WSDL_CACHE_* settings it will only kick in when the cert is not cached already.

The SSL cert will not only lag one request (to target service) behind but it will fail the whole script execution and only use the cert from the first file_get_contents call. A workaround to call the target service twice will not work. The only workaround is to only use one file_get_contents SSL domain call during one script execution.

Setting 'stream_context' > 'ssl' > 'verify_peer' and 'verify_peer_name' to false does not help!

Tested on PHP 7.0.30-0ubuntu0.16.04.1:
call to https SOAP service -> works always
call to different https SOAP service -> works only if WSDL is already cached
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved. 		Last updated: Wed Mar 03 09:01:23 2021 UTC