Hi Internals
First of all, Happy new year!
I've found that everytime `stream_socket_accept()` accepts a SSL/TLS
connection, it always read 'local_cert' and 'local_pk' files despite being
read and verified before by `stream_socket_server()`. There's no problem
with 'local_cert' but 'local_pk' because private key files usually have
root 0600 permission. And that may be an issue because you must either run
PHP as root or change permission of private key files (I'm doing the latter
as workaround) in order to make `stream_socket_accept()` work. Is it
possible to make `stream_socket_server()` keep private key file in memory?
(Like nginx does, I think)
Here's a simple scenario with the issue:
<?php
$server = stream_socket_server(
'tls://0.0.0.0:443',
$errno,
$errstr,
STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,
stream_context_create([
'ssl' => [
'local_cert' => '/path/to/cert',
'local_pk' => '/path/to/pk',
],
]),
);
$num_cpus = (int)shell_exec('nproc');
for ($i = 0; $i < $num_cpus; $i++) {
// fork a worker process
$pid = pcntl_fork();
if ($pid === 0) {
// change user/group of forked process to nobody
posix_setgid(65534);
posix_setuid(65534);
while (true) {
// This won't work because nobody cannot read private key
$client = stream_socket_accept($server);
if ($client) {
// do something with connections
// ...
}
}
}
}
// master waits for children to exit
// ...
Another feature that I've found `stream_socket_accept()` lacks is TLS
session resumption. Is there someone working on this feature?
I apologize in advance if this topic had been raised before or if I
misunderstood something.
Cheers
Kosit
