PHP :: Bug #76705 :: unusable ssl => peer_fingerprint in stream_context_create()
php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76705 unusable ssl => peer_fingerprint in stream_context_create()
Submitted: 2018-08-04 15:24 UTC Modified: 2018-08-05 13:53 UTC
From: test at strongsolutions dot lt Assigned: bukka (profile)
Status: Verified Package: OpenSSL related
PHP Version: master-Git-2018-08-04 (Git) OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-08-04 15:24 UTC] test at strongsolutions dot lt
Description:
------------
See code.

It appears that this is caused by macromancy: value of `val` is inadvertently changed by another use of `GET_VER_OPT`.

https://github.com/php/php-src/blob/master/ext/openssl/xp_ssl.c#L504-L535


Test script:
---------------
file_get_contents('https://self-signed.badssl.com/', false, stream_context_create([
	'http' => [
		'method' => 'GET',
	],
	'ssl' => [
		'allow_self_signed' => true,
		'peer_fingerprint' => '641450D94A65FAEB3B631028D8E86C95431DB811',
	],
]));


Expected result:
----------------
Request should complete.


Actual result:
--------------
Error with message "Expected peer fingerprint must be a string or an array" is seen.


Patches

200perc-lazy-patch (last revision 2018-08-04 15:24 UTC) by )

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-05 13:53 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bukka
 [2018-08-05 13:53 UTC] cmb@php.net
I can confirm this issue and also that the attached patch would
solve it. Thanks!

> […] caused by macromancy […]

Gee!  This[1] likely will bite us again.  Shouldn't that be
refactored, Jakub?

[1] <https://github.com/php/php-src/blob/php-7.3.0beta1/ext/openssl/xp_ssl.c#L90-L95>
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Aug 16 12:01:24 2018 UTC