|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78414 TLS handshake fails when the certificate chain has more than 2 certificates
Submitted: 2019-08-14 10:09 UTC Modified: -
Avg. Score:4.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: romain at thouvenin dot pro Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.1.31 OS: Ubuntu 16.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-08-14 10:09 UTC] romain at thouvenin dot pro
Using the test code below, I am able to open a SSL connection to a RabbitMQ server if the cert file has only 2 certificates (the client certificate and one intermediate certificate) but not if it contains the full chain of certificates (client cert, 3 intermediates and the root) provided by the CA (my use case is a wildcard certificate provided by Sectigo).

The problem might be related to some implementation detail of RabbitMQ (software written in Erlang) because I am able to connect to a `openssl s_server` with the full chain. But at the same time, I am also able to connect to the RabbitMQ server with the full chain from a `openssl s_client` and from a Ruby client. 
To recap:

 PHP client (fullchain)  -> RabbitMQ         ===> KO!
 PHP client (shortchain) -> RabbitMQ         ===> OK
 PHP client (fullchain)  -> openssl s_server ===> OK
 openssl s_client (full) -> RabbitMQ         ===> OK
 Ruby client (fullchain) -> RabbitMQ         ===> OK

So whatever this implementation detail might be, other clients are able to handle it.

Test script:

$context = stream_context_create([
    'ssl' => [
        'local_cert' => 'full-chain.pem',
        'local_pk' => 'key.pem',

$errno = NULL;
$errstr = NULL;
$sock = stream_socket_client(

stream_set_blocking($sock, true);
stream_socket_enable_crypto($sock, true, STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

Expected result:
No output.

I should be able to use the full chain since the server may not have the intermediate certificates in its trusted store.

Actual result:
PHP Warning:  stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

There is no SSL handshake-related output in the server logs


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Mar 02 15:01:24 2021 UTC