php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #78311 configure option --with-system-ciphers is not documented
Submitted: 2019-07-17 22:27 UTC Modified: 2019-07-19 11:19 UTC
From: giftrac+php at gmail dot com Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.3.7 OS: CentOS Linux 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: giftrac+php at gmail dot com
New email:
PHP Version: OS:

 

 [2019-07-17 22:27 UTC] giftrac+php at gmail dot com
Description:
------------
In PHP 5.6.40, a stream_context can be provided to a SoapClient, that specifies that the ssl cert of the peer should not be verified.  In PHP 7.3.7 the SoapClient appears to be ignoring the provided stream_context and attempts to verify the peer's cert.  Similarly, a capath and cafile specified in a stream_context are used in PHP 5.6.40 to successfully verify a peer; however, they appear to be ignored in PHP 7.3.7.

Test script:
---------------
$opts = [
    'ssl' => [
        'crypto_method' => STREAM_CRYPTO_METHOD_TLS_CLIENT,
        'verify_peer' => false,
    ],
];
$stream_context = stream_context_create($opts);
$options = [
    'stream_context' => $stream_context,
];
$client = new SoapClient("https://...?wsdl", $options);
$client->SomeMethod();//executes OK in PHP 5.6, errors out in PHP 7.3.7

Expected result:
----------------
It is expected that the ssl options in the stream_context are adhered to in PHP 7, including but not limited to: verify_peer, verify_peer_name, allow_self_signed, capath, cafile.

Actual result:
--------------
It appears the ssl options in the stream_context are ignored as evidenced by the SoapClient production a SoapFault exception detailing that it is unable to load from the provided WSDL URL (or when operating in location/uri mode, throwing an exception about being unable to import schema).
PHP Fatal error:  Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://...' : failed to load external entity "https://..."

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-18 03:31 UTC] giftrac+php at gmail dot com
It appears that the cause of the issue is that the default cipher(s) being used changed between PHP 5.6 and 7.3.  Explicitly calling out the cipher(s) to be used via the stream_context ssl 'cipher' option allows the SoapClient communicate in PHP 7.3.
 [2019-07-18 03:34 UTC] giftrac+php at gmail dot com
-Type: Bug +Type: Documentation Problem
 [2019-07-18 03:34 UTC] giftrac+php at gmail dot com
Changed from Bug to Documentation Problem.
 [2019-07-19 09:51 UTC] cmb@php.net
-Summary: SoapClient stream_context ignored +Summary: configure option --with-system-ciphers is not documented -Status: Open +Status: Verified -Package: HTTP related +Package: OpenSSL related
 [2019-07-19 09:51 UTC] cmb@php.net
The last time the default ciphers have been changed was with
commit 225f534[1], which targeted PHP 5.6.0; this change is
already documented[2].

In your case PHP has probably been configured with
`--with-system-ciphers`, which has been introduced with commit
0d776ef[3] (PHP 5.6.3), but is not documented yet.  However,
documenting the actual default system ciphers is out of scope for
the PHP manual.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=225f534b1ae30b9e843c2531d3bdd38aa8ca84f7>
[2] <https://www.php.net/manual/en/migration56.openssl.php#migration56.openssl.ciphers>
[3] <http://git.php.net/?p=php-src.git;a=commit;h=0d776ef87b7b0c1e970c424cc5dcdf4cd6f500ac>
 [2019-07-19 11:19 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=347765
Log: Fix #78311: configure option --with-system-ciphers is not documented
 [2019-07-19 11:19 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-07-19 11:20 UTC] salathe@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=540bddd349d80faa17812dd0f3ce02bd2723f84f
Log: Fix #78311: configure option --with-system-ciphers is not documented
 [2019-07-19 11:20 UTC] salathe@php.net
-Status: Verified +Status: Closed
 [2020-02-07 06:04 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=209ebdbef887172f07199ac1c7b01121e5353447
Log: Fix #78311: configure option --with-system-ciphers is not documented
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Apr 13 03:01:23 2021 UTC