Hi Thomas I'm sad to hear that. I don't know much about security but I've implemented a simple PHP TLS web server (only for dynamic contents, static contents still use nginx) for my project and have been tested with SSL Labs tool, it gave me A+ score and reported no security issues (except for session resumption which is not security thing). The reason I've tried to use PHP as TLS web server because it outperforms nginx+PHP-FPM and even swoole on my HelloWorld benchmark (6 - 7x faster than nginx+PHP-FPM and 2 - 3x faster than swoole). Is it really bad to use PHP (with standard API) as TLS web server? Should I give up what I'm doing?
Cheers Kosit On Sun, Jan 5, 2020 at 8:42 PM Thomas Hruska <thru...@cubiclesoft.com> wrote: > On 1/5/2020 4:46 AM, Kosit Supanyo wrote: > > Hi Internals > > > > First of all, Happy new year! > > > > I've found that everytime `stream_socket_accept()` accepts a SSL/TLS > > connection, it always read 'local_cert' and 'local_pk' files despite > being > > read and verified before by `stream_socket_server()`. There's no problem > > with 'local_cert' but 'local_pk' because private key files usually have > > root 0600 permission. And that may be an issue because you must either > run > > PHP as root or change permission of private key files (I'm doing the > latter > > as workaround) in order to make `stream_socket_accept()` work. Is it > > possible to make `stream_socket_server()` keep private key file in > memory? > > (Like nginx does, I think) > > > > Another feature that I've found `stream_socket_accept()` lacks is TLS > > session resumption. Is there someone working on this feature? > > > > I apologize in advance if this topic had been raised before or if I > > misunderstood something. > > > > Cheers > > > > Kosit > > IMO, people should not write TLS servers in PHP but proxy them from > Nginx. For one thing, PHP doesn't have a way to pass > SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ to userland. That alone > makes it impossible to write a valid TLS server in PHP. > > Proxying requests from a properly hardened server, in general, also > affords some additional security defense against attack by at least > fully normalizing the TCP stack prior to connection. For example, prior > to 7.4, TCP servers written in PHP were vulnerable to DoS-attacks via a > badly written fwrite() call. > > -- > Thomas Hruska > CubicleSoft President > > I've got great, time saving software that you will find useful. > > http://cubiclesoft.com/ > > And once you find my software useful: > > http://cubiclesoft.com/donate/ >
