php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76694 native Windows cert verification uses CN as sever name
Submitted: 2018-08-02 13:01 UTC Modified: 2021-05-27 10:08 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: anrdaemon at freemail dot ru Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.37 OS: Windows
Private report: No CVE-ID: None
 [2018-08-02 13:01 UTC] anrdaemon at freemail dot ru
Description:
------------
Contrary to the release announce of PHP 5.6

- OpenSSL:
  . Fallback to Windows CA cert store for peer verification if no openssl.cafile
    ini directive or "cafile" SSL context option specified in Windows.
    (Chris Wright)

file_get_contents('https://ca.rootdir.org/');

fails with certificate verification error.

This is for all PHP versions from 5.6 to 7.2

Test script:
---------------
<?php

print file_get_contents('https://ca.rootdir.org/');


Expected result:
----------------
<html>
<body>
<h1>Hi!</h1>
<p><a href="ca.cer">Root certificate.</a></p>
</body>
</html>

Actual result:
--------------
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in ssl-verify.php on line 3

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-02 13:53 UTC] daverandom@php.net
-Status: Open +Status: Feedback
 [2018-08-02 13:53 UTC] daverandom@php.net
This is just a semi-educated guess, but note that a self-signed certificate will only be accepted if the allow_self_signed context option is set, regardless of whether it exists in the trusted root CA store. Similarly, the verify_depth context option is still respected when the system store is used.

If the problematic certificate does not fall foul of either of these factors, please check the following:

- Are you able to load the resource in a browser that uses the system CA store, on the same client machine, without errors?
- If you specify a cafile that contains the relevant root certificate (i.e. use the openssl verify routine), does it work?
- Where the system store-based verify routine encounters an operational failure of some kind it will emit an E_WARNING with a descriptive message, please ensure that you have error reporting configured with a sufficient level and include any logged messages here.

Although there aren't currently any proper tests for this code path - something which most certainly needs addressing - it is fairly well tested in practice, simply by real-world usage. For example, if file_get_contents('https://packagist.org/...') didn't work out of the box on windows then there would be frequent reports as composer would not work.

If you want to discuss directly with me further in chat, you can find in the PHP chat room on Stack Overflow most of the time, under the screen name DaveRandom :-)
 [2018-11-18 22:31 UTC] cmb@php.net
-Status: Feedback +Status: No Feedback
 [2018-11-18 22:31 UTC] cmb@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2018-11-19 10:09 UTC] anrdaemon at freemail dot ru
So, the report was suspended based on semi-educated guess? Without actual investigation?
I knew bugs.php.net tend to be like that, but not on such a scale.
 [2018-11-19 10:27 UTC] nikic@php.net
The report was suspended because no response was provided to the questions that were asked by @daverandom. The issue can be reopened once requested feedback is provided.
 [2018-11-19 13:35 UTC] anrdaemon at freemail dot ru
Yes, browsers that use system CA store (IE, Chrome-based) operate correctly.

Yes, I can use OpenSSL functionality (particularly curl) without an issue after pointing openssl.ca* settings to Cygwin PKI that contains the necessary root CA certificate.

The further error message wasn't helping.

And no, it doesn't work with packagist either.

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
file_get_contents('https://packagist.org/');
?>
string(6) "7.1.22"
string(0) ""
string(0) ""
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in ...\76694-openssl-system-PKI\test.php on line 6
PHP Warning:  file_get_contents(): Failed to enable crypto in ...\76694-openssl-system-PKI\test.php on line 6
PHP Warning:  file_get_contents(https://packagist.org/): failed to open stream: operation failed in ...\76694-openssl-system-PKI\test.php on line 6
 [2018-11-19 13:39 UTC] anrdaemon at freemail dot ru
Same test with Cygwin PKI

string(6) "7.1.22"
string(76) "C:\Programs\Cygwin_64\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust.crt"
string(35) "C:\Programs\Cygwin_64\usr\ssl\certs"
<and no error messages>
 [2018-11-19 16:43 UTC] requinix@php.net
-Status: No Feedback +Status: Re-Opened
 [2021-04-29 12:41 UTC] cmb@php.net
-Status: Re-Opened +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-04-29 12:41 UTC] cmb@php.net
Well, requesting https://packagist.org works for me with and
without setting openssl.cacert, but requesting
https://ca.rootdir.org/ does not even work from a browser
(NET::ERR_CERT_AUTHORITY_INVALID).

So maybe this has been fixed in the meantime.  Or do you still
experience the issue with any of the actively supported PHP
versions[1].

[1] <https://www.php.net/supported-versions.php>
 [2021-05-09 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2021-05-24 09:39 UTC] anrdaemon at yandex dot ru
> Well, requesting https://packagist.org works for me with and without setting openssl.cacert, 

Because its CA was added to the internal bundle since then.

> but requesting https://ca.rootdir.org/ does not even work from a browser (NET::ERR_CERT_AUTHORITY_INVALID).

Why invalid? Should be "issuer unknown". Add https://ca.rootdir.org/ca.cer to your system PKI.

> So maybe this has been fixed in the meantime.  Or do you still experience the issue with any of the actively supported PHP versions[1].

Tested with PHP 7.4, nothing changed.

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
var_dump(substr(file_get_contents('https://ca.rootdir.org/'), 0, 16));
var_dump(error_get_last());

With Cygwin PKI:

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
var_dump(substr(file_get_contents('https://ca.rootdir.org/'), 0, 16));
var_dump(error_get_last());
string(6) "7.4.16"
string(76) "C:\Programs\Cygwin_64\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust.crt"
string(35) "C:\Programs\Cygwin_64\usr\ssl\certs"
string(16) "<html>
<body>
<h"
NULL

Without specific PKI:

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
var_dump(substr(file_get_contents('https://ca.rootdir.org/'), 0, 16));
var_dump(error_get_last());
string(6) "7.4.16"
string(0) ""
string(0) ""
string(0) ""
array(4) {
  ["type"]=>
  int(2)
  ["message"]=>
  string(83) "file_get_contents(https://ca.rootdir.org/): failed to open stream: operation failed"
  ["file"]=>
  string(71) "C:\Users\anrdaemon\Documents\Bugs\PHP\76694-openssl-system-PKI\test.php"
  ["line"]=>
  int(6)
}
 [2021-05-24 11:39 UTC] cmb@php.net
-Status: No Feedback +Status: Open
 [2021-05-24 11:39 UTC] cmb@php.net
Thanks!  I'll have a closer look.
 [2021-05-25 11:36 UTC] cmb@php.net
The Windows CA cert store is definitely used (not yet sure if 100%
correctly), but currently https://ca.rootdir.org/ca.cer is
apparently down.
 [2021-05-26 15:20 UTC] cmb@php.net
-Status: Assigned +Status: Analyzed
 [2021-05-26 15:20 UTC] cmb@php.net
Okay, the problem is that we only check the subject CN (which is
"Rootdir CA webserver"), but not the subjectAltNames (which have
the required "ca.rootdir.org").
 [2021-05-27 10:08 UTC] cmb@php.net
-Summary: OpenSSL don't use Windows system CA store +Summary: native Windows cert verification uses CN as sever name
 [2021-05-27 10:09 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #76694: native Windows cert verification uses CN as sever name
On GitHub:  https://github.com/php/php-src/pull/7060
Patch:      https://github.com/php/php-src/pull/7060.patch
 [2021-05-31 12:38 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/7fd48264de5c828d0898d48875fc6c5a6f292386
Log: Fix #76694: native Windows cert verification uses CN as sever name
 [2021-05-31 12:38 UTC] git@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 30 17:01:23 2021 UTC