php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77505 streams/HTTPS cannot be used with WinSSL/schannel
Submitted: 2019-01-23 01:35 UTC Modified: 2021-07-07 16:41 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: vjardin at free dot fr Assigned:
Status: Open Package: Streams related
PHP Version: 7.3.1 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vjardin at free dot fr
New email:
PHP Version: OS:

 

 [2019-01-23 01:35 UTC] vjardin at free dot fr
Description:
------------
Assuming WinSSL is used, so openssl is disabled,
  $data = file_get_contents('https://www.google.fr/');

leads to
PHP Warning:  file_get_contents(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP? in ssl.php on line 2

If we enable openssl, but the certificates are into the Windows' store, then of course, it cannot work:

$ php -d extension=openssl ssl.php
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure in ssl.php on line 7


------------------

$ php -v
PHP 7.2.14RC1 (cli) (built: Jan  6 2019 01:20:28) ( NTS MSVC15 (Visual C++ 2017) x64 )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

$ php -i | findstr configu
Configure Command => cscript /nologo configure.js "--enable-snapshot-build" "--enable-crt-debug" "--disable-zts" "--enable-pdo" "--with-pdo-oci=C:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8=C:\php-sdk\oracle\x64\instantclient_10_2\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\x64\instantclient_11_2\sdk,shared" "--with-oci8-12c=C:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--enable-com-dotnet=shared" "--with-ereg=shared" "--with-odbcver=0x0380" "--with-php-build=../win64build.vc15"

$ php -i | findstr /I SSL
SSL => Yes
SSL Version => WinSSL
core SSL => supported
extended SSL => not supported
OpenSSL support => disabled (install ext/openssl)




Test script:
---------------
ssl.php:

<?php

$data = file_get_contents('https://www.google.fr/');

var_dump($data);


Expected result:
----------------
Open a stream SSL/HTTPS connecion without OpenSSL but using WinSSL. libssh2 does support libssh2/WinSSL. It can become the abstraction layer.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-25 11:32 UTC] ab@php.net
Thanks for the report.

> Assuming WinSSL is used, so openssl is disabled,
There is no support for WinSSL in streams, so it can't be used. To use encrypted streams, OpenSSL is required.

> If we enable openssl, but the certificates are into the Windows' store, then of course, it cannot work:
OpenSSL interacts with the Windows certificate store. The certificate store receives centralized updates. If something is not there - most likely the store has not been updated yet. That's also often a reason for issues with self signed certificates.

Having support for WinSSL might be a feature, yes. However, not all the dependencies support it. Also, for the core we'd have to maintain two layers of security, which doubles efforts and bug sources. Just depending on OpenSSL seems OK.

Thanks.
 [2019-07-05 22:03 UTC] vjardin at free dot fr
For the maintenance, it depends of the point of view. Having a native Windows SSL support instead of openssl decreases the SSL surface to a unique WinSSL / schannel that becomes the common SSL layer for all Windows applications. When PHP uses openssl, it means that we have to keep 2 SSL stacks on Windows (WinSSL + openssl).
 [2021-07-07 16:41 UTC] cmb@php.net
The problem here is the cost of the initial implementation, but
maybe even more so the cost of maintanance of an additional WinSSL
based implementation.  Currently, OpenSSL is used for all systems,
so there is not much need for additional effort for Windows.

See also <https://github.com/winlibs/cURL/issues/13>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 07:01:29 2024 UTC