php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #79280 Add support for TLS-PSK
Submitted: 2020-02-19 00:35 UTC Modified: 2021-08-09 14:23 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at tudorholton dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: Next Major Version OS: Irrelevant
Private report: No CVE-ID: None
 [2020-02-19 00:35 UTC] php at tudorholton dot com
Description:
------------
According to the current example config of BareOS Backup Management System (https://github.com/bareos/bareos/blob/bddd6c0b853e94cb9c06464d9ba8bbe562042a01/webui/install/bareos/bareos-dir.d/console/admin.conf.example#L10):

...php does not support TLS-PSK...

Why is this?  Is it possible to add it as a configuration option?


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-19 00:43 UTC] php at tudorholton dot com
I couldn't find any mention of it in the php documentation (positive or otherwise).
 [2020-02-25 14:34 UTC] rowan dot collins at gmail dot com
It's unclear what PHP support is wanted here, because it's not clear how this tool needs to interact with PHP. TLS connections *into* PHP are the responsibility of whatever web server you put in front of it; TLS connections *from* PHP would generally be the responsibility of either an extension like curl, or a stream wrapper (e.g. used with file_get_contents).

I'd not heard of TLS-PSK before, so I'm not clear how it is used in practice, but my guess would be that you'd need a way to specify the pre-shared key to use for a particular connection. Does this tool come with a PHP client of some sort, which would need this to connect over TLS?
 [2020-02-25 23:19 UTC] php at tudorholton dot com
The request is for a connection from PHP as a client to a server where the connection is encrypted with TLS-PSK.  Yes, a shared key needs to be supplied for the connection to work.  I believe that this is similar to PHP as a TLS client with a client certificate except that there's a shared key in place of two separate certificates (and no third-party verifier).  I've seen TLS-PSK used mainly in networks where a certificate authority is not available.

BareOS comes with a "WebUI" client which is where I got the example from.  The webui client source is here:

https://github.com/bareos/bareos/tree/master/webui

There is also a non-PHP (C++) client which successfully uses TLS-PSK here:

https://github.com/bareos/bareos/tree/master/core/src/console

Every other part of this system defaults to TLS-PSK.  It's only the PHP part that can't do it, which is why I submit this bug request.  Seems a bit odd to me.
 [2020-03-11 22:40 UTC] rowan dot collins at gmail dot com
OK, looking at that library, it seems what they actually use to make HTTP requests is this library: https://github.com/zendframework/zend-http

That in turn uses either PHP's curl bindings, or raw socket connections (with PHP's socket library providing the TLS encapsulation).

So the PHP support which would be needed would be:

- an option for the tls:// stream type, which is based on openssl: https://www.php.net/manual/en/context.ssl.php
- an option in the curl bindings: https://www.php.net/manual/en/function.curl-setopt.php

I don't know what support either openssl or libcurl have for this, so I can't comment further on how easy it would be to add.
 [2020-03-12 02:26 UTC] php at tudorholton dot com
Thanks Rowan, that's a great help.

TSL-PSK support for OpenSSL for libcurl was discussed in 2015 but went stale.  See here: https://github.com/curl/curl/pull/394

(Unrelated, but libcurl does support PSK via WolfSSL in their release version, so they're not against PSK itself, it seems.)

I've asked if we can reopen the libcurl PR #394. :-)
 [2020-03-13 00:42 UTC] php at tudorholton dot com
Alternatively, would PHP with libcurl->WolfSSL work?  I haven't spent much time in configuring PHP, and my OS (Ubuntu) doesn't have a libcurl-wolfssl package, but I suppose it's possible to manually compile it.

PHP would still need an option to pass to libcurl, though.  It might be easier to compile a fork of libcurl-OpenSSL with the --tlk-psk switch enabled.
 [2021-08-09 14:23 UTC] cmb@php.net
> I've asked if we can reopen the libcurl PR #394. :-)

For reference: <https://github.com/curl/curl/issues/5081>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 04 19:01:28 2024 UTC