PHP :: Request #77505 :: streams/HTTPS cannot be used with WinSSL/schannel

streams/HTTPS cannot be used with WinSSL/schannel

Submitted:

2019-01-23 01:35 UTC

Modified:

2021-07-07 16:41 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

vjardin at free dot fr

Assigned:

Status:

Open

Package:

Streams related

PHP Version:

7.3.1

OS:

Windows

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	vjardin at free dot fr
New email:
PHP Version:		OS:

New/Additional Comment:

[2019-01-23 01:35 UTC] vjardin at free dot fr

Description:
------------
Assuming WinSSL is used, so openssl is disabled,
  $data = file_get_contents('https://www.google.fr/');

leads to
PHP Warning:  file_get_contents(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP? in ssl.php on line 2

If we enable openssl, but the certificates are into the Windows' store, then of course, it cannot work:

$ php -d extension=openssl ssl.php
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure in ssl.php on line 7


------------------

$ php -v
PHP 7.2.14RC1 (cli) (built: Jan  6 2019 01:20:28) ( NTS MSVC15 (Visual C++ 2017) x64 )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

$ php -i | findstr configu
Configure Command => cscript /nologo configure.js "--enable-snapshot-build" "--enable-crt-debug" "--disable-zts" "--enable-pdo" "--with-pdo-oci=C:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8=C:\php-sdk\oracle\x64\instantclient_10_2\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\x64\instantclient_11_2\sdk,shared" "--with-oci8-12c=C:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--enable-com-dotnet=shared" "--with-ereg=shared" "--with-odbcver=0x0380" "--with-php-build=../win64build.vc15"

$ php -i | findstr /I SSL
SSL => Yes
SSL Version => WinSSL
core SSL => supported
extended SSL => not supported
OpenSSL support => disabled (install ext/openssl)




Test script:
---------------
ssl.php:

<?php

$data = file_get_contents('https://www.google.fr/');

var_dump($data);


Expected result:
----------------
Open a stream SSL/HTTPS connecion without OpenSSL but using WinSSL. libssh2 does support libssh2/WinSSL. It can become the abstraction layer.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-01-25 11:32 UTC] ab@php.net

Thanks for the report.

> Assuming WinSSL is used, so openssl is disabled,
There is no support for WinSSL in streams, so it can't be used. To use encrypted streams, OpenSSL is required.

> If we enable openssl, but the certificates are into the Windows' store, then of course, it cannot work:
OpenSSL interacts with the Windows certificate store. The certificate store receives centralized updates. If something is not there - most likely the store has not been updated yet. That's also often a reason for issues with self signed certificates.

Having support for WinSSL might be a feature, yes. However, not all the dependencies support it. Also, for the core we'd have to maintain two layers of security, which doubles efforts and bug sources. Just depending on OpenSSL seems OK.

Thanks.

[2019-07-05 22:03 UTC] vjardin at free dot fr

For the maintenance, it depends of the point of view. Having a native Windows SSL support instead of openssl decreases the SSL surface to a unique WinSSL / schannel that becomes the common SSL layer for all Windows applications. When PHP uses openssl, it means that we have to keep 2 SSL stacks on Windows (WinSSL + openssl).

[2021-07-07 16:41 UTC] cmb@php.net

The problem here is the cost of the initial implementation, but
maybe even more so the cost of maintanance of an additional WinSSL
based implementation.  Currently, OpenSSL is used for all systems,
so there is not much need for additional effort for Windows.

See also <https://github.com/winlibs/cURL/issues/13>.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Wed Sep 27 03:01:25 2023 UTC