|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78029 ldap_set_option doesn't always set TLS options.
Submitted: 2019-05-17 16:43 UTC Modified: 2022-02-11 12:44 UTC
Avg. Score:4.4 ± 0.5
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:3 (60.0%)
From: will dot skates at ntlworld dot com Assigned:
Status: Open Package: LDAP related
PHP Version: 7.2.18 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: will dot skates at ntlworld dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.


 [2019-05-17 16:43 UTC] will dot skates at ntlworld dot com
"ldap_set_option" doesn't behave predictably when you set TLS options. The tests for the extension (*1) _seem_ to suggest that it should just because they pass the resource as the first option.

The TLS context is established the first time an ldap connection is bound (2 & 3). I think that means that if I want to change my TLS settings I have to restart php-fpm and hope I'm the first one to ldap_bind on the box.


I'm running the two scripts using "php -S" and navigating to test1.php and test2.php respectively.

I'm not sure what the ideal solution is. OpenLDAP does provide the LDAP_OPT_X_TLS_NEWCTX and LDAP_OPT_X_TLS_CTX options to help deal with this but they both seem to alter the global scope around the function. The problem is just that I can't rely on "ldap_set_option" to actually do what I tell it to. It might be better to create a new TLS context for every connection as it gets bound so that OpenLDAP doesn't override it with the global state.

This is true if I bind using ldaps:// or StartTLS.

For testing I have slapd (2.4.47) running in a container and have generated my own CA, Client and Server certificates.

My LDAP extension info:

LDAP Support => enabled
RCS Version => $Id: 3839f871a91c293a52322c63329c68db23a0290a $
Total Links => 0/unlimited
API Version => 3001
Vendor Name => OpenLDAP
Vendor Version => 20446
SASL Support => Enabled

Directive => Local Value => Master Value
ldap.max_links => Unlimited => Unlimited

Test script:

Expected result:

Actual result:
string(131) "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2022-02-11 12:44 UTC]
-Block user comment: No +Block user comment: Yes
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 14 03:01:32 2024 UTC