PHP :: Bug #76196 :: proxied file_get_contents calls lag the cert check one behind for further calls

Bug #76196

proxied file_get_contents calls lag the cert check one behind for further calls

Submitted:

2018-04-08 11:25 UTC

Modified:

2022-10-05 20:35 UTC

Votes:	9
Avg. Score:	4.2 ± 0.9
Reproduced:	7 of 7 (100.0%)
Same Version:	3 (42.9%)
Same OS:	0 (0.0%)

From:

php dot public at consistency dot at

Assigned:

Status:

Open

Package:

OpenSSL related

PHP Version:

7.1.16

OS:

win7 & debian9

Private report:

CVE-ID:

None

View Developer Edit

[2018-04-08 11:25 UTC] php dot public at consistency dot at

Description:
------------
calling `file_get_contents` through a configured proxy to an ssl site will let the certificate check "lag" one behind.

with the first call of the `file_get_contents` the certificate for the requested site will be "locked in" for the next call. which will therefor fail.

so only the first call of `file_get_contents` will be successful, the rest will fail.

Test script:
---------------
<?php
$stream_default_opts = [
  'http' => [
    'proxy'=>"tcp://5.9.78.28:3128",
    'request_fulluri' => true,
  ]
];
stream_context_set_default($stream_default_opts);
file_get_contents("https://www.symfony.com", false); 
file_get_contents("https://getcomposer.org", false); 
file_get_contents("https://github.com", false); 

Actual result:
--------------
Warning: file_get_contents(): Peer certificate CN=`getcomposer.org' did not match expected CN=`www.symfony.com' in foo.php on line 11
Warning: file_get_contents(https://getcomposer.org): failed to open stream: Cannot connect to HTTPS server through proxy in foo.php on line 11

Warning: file_get_contents(): Peer certificate CN=`github.com' did not match expected CN=`www.symfony.com' in foo.php on line 12
Warning: file_get_contents(https://github.com): failed to open stream: Cannot connect to HTTPS server through proxy in foo.php on line 12

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-04-02 14:47 UTC] f at zuckschwerdt dot de

This seems to be related to WSDL caching. If the WSDL is cached already, everything works fine. As soon as the WSDL is missing and needs to be loaded first, this error occurs. Executing the same script a second time will then work without error. With the Soap_Client the bug can be enforced by setting the option 'cache_wsdl' to WSDL_CACHE_NONE. This way the WSDL is loaded every time and the bug will always kick in. With all OTHER WSDL_CACHE_* settings it will only kick in when the cert is not cached already.

The SSL cert will not only lag one request (to target service) behind but it will fail the whole script execution and only use the cert from the first file_get_contents call. A workaround to call the target service twice will not work. The only workaround is to only use one file_get_contents SSL domain call during one script execution.

Setting 'stream_context' > 'ssl' > 'verify_peer' and 'verify_peer_name' to false does not help!

Tested on PHP 7.0.30-0ubuntu0.16.04.1:
call to https SOAP service -> works always
call to different https SOAP service -> works only if WSDL is already cached

[2022-10-05 20:35 UTC] bukka@php.net

-Package: Streams related +Package: OpenSSL related

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Feb 25 11:01:30 2025 UTC