|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76972 Data truncation due to forceful ssl socket shutdown
Submitted: 2018-10-04 16:40 UTC Modified: -
From: manuel-php at mausz dot at Assigned:
Status: Closed Package: FTP related
PHP Version: 7.1.22 OS: Linux
Private report: No CVE-ID: None
 [2018-10-04 16:40 UTC] manuel-php at mausz dot at
With TLS 1.3 session tickets get sent after the handshake has completed (in TLS 1.2 this only happens upon renegotiation). With connections that never read from the socket (like the FTP data connection) this data will never actually be trained. However closing the socket without training (unidirectional shutdown) causes an ECONNRESET on server side which might lead to data truncation.

As explained in PHP instead should call SSL_read after calling SSL_shutdown until we've received the servers close_notify alert.

For reference see CURLs implementation:

As well as

Test script:
ProFTPd with OpenSSL 1.1.1 and TLS 1.3.

Script is as simple as: ftp_put($ftp, "dest", "source", FTP_BINARY);

Results in: Transfer aborted. Link to file server lost


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-05 16:45 UTC]
Automatic comment on behalf of
Log: Fix #76972: FTP data truncation due to forceful ssl socket shutdown
 [2018-10-05 16:45 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue May 30 02:03:44 2023 UTC