php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76694 OpenSSL don't use Windows system CA store
Submitted: 2018-08-02 13:01 UTC Modified: 2018-11-19 16:43 UTC
From: anrdaemon at freemail dot ru Assigned:
Status: Re-Opened Package: OpenSSL related
PHP Version: 5.6.37 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: anrdaemon at freemail dot ru
New email:
PHP Version: OS:

 

 [2018-08-02 13:01 UTC] anrdaemon at freemail dot ru 
Description:
------------
Contrary to the release announce of PHP 5.6

- OpenSSL:
  . Fallback to Windows CA cert store for peer verification if no openssl.cafile
    ini directive or "cafile" SSL context option specified in Windows.
    (Chris Wright)

file_get_contents('https://ca.rootdir.org/');

fails with certificate verification error.

This is for all PHP versions from 5.6 to 7.2

Test script:
---------------
<?php

print file_get_contents('https://ca.rootdir.org/');


Expected result:
----------------
<html>
<body>
<h1>Hi!</h1>
<p><a href="ca.cer">Root certificate.</a></p>
</body>
</html>

Actual result:
--------------
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in ssl-verify.php on line 3

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-02 13:53 UTC] daverandom@php.net
-Status: Open +Status: Feedback
 [2018-08-02 13:53 UTC] daverandom@php.net 
This is just a semi-educated guess, but note that a self-signed certificate will only be accepted if the allow_self_signed context option is set, regardless of whether it exists in the trusted root CA store. Similarly, the verify_depth context option is still respected when the system store is used.

If the problematic certificate does not fall foul of either of these factors, please check the following:

- Are you able to load the resource in a browser that uses the system CA store, on the same client machine, without errors?
- If you specify a cafile that contains the relevant root certificate (i.e. use the openssl verify routine), does it work?
- Where the system store-based verify routine encounters an operational failure of some kind it will emit an E_WARNING with a descriptive message, please ensure that you have error reporting configured with a sufficient level and include any logged messages here.

Although there aren't currently any proper tests for this code path - something which most certainly needs addressing - it is fairly well tested in practice, simply by real-world usage. For example, if file_get_contents('https://packagist.org/...') didn't work out of the box on windows then there would be frequent reports as composer would not work.

If you want to discuss directly with me further in chat, you can find in the PHP chat room on Stack Overflow most of the time, under the screen name DaveRandom :-)
 [2018-11-18 22:31 UTC] cmb@php.net
-Status: Feedback +Status: No Feedback
 [2018-11-18 22:31 UTC] cmb@php.net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2018-11-19 10:09 UTC] anrdaemon at freemail dot ru 
So, the report was suspended based on semi-educated guess? Without actual investigation?
I knew bugs.php.net tend to be like that, but not on such a scale.
 [2018-11-19 10:27 UTC] nikic@php.net 
The report was suspended because no response was provided to the questions that were asked by @daverandom. The issue can be reopened once requested feedback is provided.
 [2018-11-19 13:35 UTC] anrdaemon at freemail dot ru 
Yes, browsers that use system CA store (IE, Chrome-based) operate correctly.

Yes, I can use OpenSSL functionality (particularly curl) without an issue after pointing openssl.ca* settings to Cygwin PKI that contains the necessary root CA certificate.

The further error message wasn't helping.

And no, it doesn't work with packagist either.

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
file_get_contents('https://packagist.org/');
?>
string(6) "7.1.22"
string(0) ""
string(0) ""
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in ...\76694-openssl-system-PKI\test.php on line 6
PHP Warning:  file_get_contents(): Failed to enable crypto in ...\76694-openssl-system-PKI\test.php on line 6
PHP Warning:  file_get_contents(https://packagist.org/): failed to open stream: operation failed in ...\76694-openssl-system-PKI\test.php on line 6
 [2018-11-19 13:39 UTC] anrdaemon at freemail dot ru 
Same test with Cygwin PKI

string(6) "7.1.22"
string(76) "C:\Programs\Cygwin_64\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust.crt"
string(35) "C:\Programs\Cygwin_64\usr\ssl\certs"
<and no error messages>
 [2018-11-19 16:43 UTC] requinix@php.net
-Status: No Feedback +Status: Re-Opened
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved. 		Last updated: Sat Dec 07 16:01:23 2019 UTC