php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78775 TLS issues from HTTP request affecting other encrypted connections
Submitted: 2019-11-03 20:25 UTC Modified: 2019-11-05 11:03 UTC
From: lcobucci@php.net Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 7.2.24 OS: Debian
Private report: No CVE-ID: None
 [2019-11-03 20:25 UTC] lcobucci@php.net
Description:
------------
While setting up TLS for the DB in a development environment, I've found out that handshake issues during cURL requests using URIs with a self-signed certificate were affecting completely valid encrypted MySQL connections using both MySQLi and PDO MySQL.

I observed this because it was only happening on certain endpoints because they send this HTTP request to another service.

It's quite an edge-case (and low priority IMHO). However, it got me crazy since the error messages are all about the DB connection.

My idea was to create a better way to test this, but couldn't find any good example for TLS+MySQLnd (via PDO or MySQLi)...

Test script:
---------------
$conn = new PDO(
    'mysql:host=my-mysql-server;charset=utf8mb4',
    'root',
    'password',
    [
        PDO::MYSQL_ATTR_SSL_CA => '/local-tls-certificates/ca.pem',
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    ]
);

var_dump($conn->query('SELECT 1')->fetchAll(PDO::FETCH_ASSOC));

$handle = curl_init('https://self-signed.badssl.com/');
curl_setopt_array(
    $handle,
    [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_SSL_VERIFYPEER => true,
    ]
);

var_dump(curl_exec($handle));
curl_close($handle);

var_dump($conn->query('SELECT 1')->fetchAll(PDO::FETCH_ASSOC));

Expected result:
----------------
array(1) {
  [0]=>
  array(1) {
    [1]=>
    string(1) "1"
  }
}
bool(false)
array(1) {
  [0]=>
  array(1) {
    [1]=>
    string(1) "1"
  }
}

Actual result:
--------------
array(1) {
  [0]=>
  array(1) {
    [1]=>
    string(1) "1"
  }
}
bool(false)
[01-Nov-2019 17:03:02 UTC] PHP Warning:  PDO::query(): SSL operation failed with code 1. OpenSSL Error messages:
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init in /app/aa.php on line 32

Warning: PDO::query(): SSL operation failed with code 1. OpenSSL Error messages:
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init in /app/aa.php on line 32
[01-Nov-2019 17:03:02 UTC] PHP Warning:  PDO::query(): MySQL server has gone away in /app/aa.php on line 32

Warning: PDO::query(): MySQL server has gone away in /app/aa.php on line 32
[01-Nov-2019 17:03:02 UTC] PHP Warning:  PDO::query(): Error reading result set's header in /app/aa.php on line 32

Warning: PDO::query(): Error reading result set's header in /app/aa.php on line 32
[01-Nov-2019 17:03:02 UTC] PHP Fatal error:  Uncaught PDOException: SQLSTATE[HY000]: General error: 2006 MySQL server has gone away in /app/aa.php:32
Stack trace:
#0 /app/aa.php(32): PDO->query('SELECT 1')
#1 {main}
  thrown in /app/aa.php on line 32

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 2006 MySQL server has gone away in /app/aa.php:32
Stack trace:
#0 /app/aa.php(32): PDO->query('SELECT 1')
#1 {main}
  thrown in /app/aa.php on line 32

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-04 17:41 UTC] lcobucci@php.net
Volker Dusch managed to reproduce this by using sockets and cURL only (also affects the latest PHP 7.4 RC):

Test script:
-------------
$sock = fsockopen("tls://google.com", 443);

var_dump($sock);

$handle = curl_init('https://self-signed.badssl.com/');
curl_setopt_array(
    $handle,
    [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_SSL_VERIFYPEER => true,
    ]
);

var_dump(curl_exec($handle));
curl_close($handle);

fwrite($sock, "GET / HTTP/1.0\n\n");
var_dump(fread($sock, 8));


Expected result:
----------------
resource(4) of type (stream)
bool(false)
string(8) "HTTP/1.0"


Actual result:
--------------
resource(4) of type (stream)
bool(false)

Warning: fread(): SSL operation failed with code 1. OpenSSL Error messages:
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init in /app/aa.php on line 19
string(0) ""
 [2019-11-04 17:45 UTC] lcobucci@php.net
-Summary: TLS issues from HTTP request affecting encrypted MySQL connections +Summary: TLS issues from HTTP request affecting other encrypted connections
 [2019-11-05 11:03 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-11-05 11:03 UTC] nikic@php.net
Verified after switching to curl linked against openssl.
 [2019-11-05 11:16 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f984a2fdb3815361f83013c23af0ff5d6d63d67
Log: Fixed bug #78775
 [2019-11-05 11:16 UTC] nikic@php.net
-Status: Verified +Status: Closed
 [2019-11-25 12:57 UTC] gilperon at gmail dot com
A much simpler approach to this bug was posted -> https://bugs.php.net/bug.php?id=78845
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 04:01:25 2019 UTC