|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76972 Data truncation due to forceful ssl socket shutdown
Submitted: 2018-10-04 16:40 UTC Modified: -
From: manuel-php at mausz dot at Assigned:
Status: Closed Package: FTP related
PHP Version: 7.1.22 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
47 - 10 = ?
Subscribe to this entry?

 [2018-10-04 16:40 UTC] manuel-php at mausz dot at
With TLS 1.3 session tickets get sent after the handshake has completed (in TLS 1.2 this only happens upon renegotiation). With connections that never read from the socket (like the FTP data connection) this data will never actually be trained. However closing the socket without training (unidirectional shutdown) causes an ECONNRESET on server side which might lead to data truncation.

As explained in PHP instead should call SSL_read after calling SSL_shutdown until we've received the servers close_notify alert.

For reference see CURLs implementation:

As well as

Test script:
ProFTPd with OpenSSL 1.1.1 and TLS 1.3.

Script is as simple as: ftp_put($ftp, "dest", "source", FTP_BINARY);

Results in: Transfer aborted. Link to file server lost


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-05 16:45 UTC]
Automatic comment on behalf of
Log: Fix #76972: FTP data truncation due to forceful ssl socket shutdown
 [2018-10-05 16:45 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Sep 23 13:01:27 2019 UTC