Req #53447 [Sus->Csd]: Cannot disable SessionTicket extension for servers that do not support it

[aharvey]

Edit report at http://bugs.php.net/bug.php?id=53447&edit=1

 ID:                 53447
 Updated by:         ahar...@php.net
 Reported by:        clint at ubuntu dot com
 Summary:            Cannot disable SessionTicket extension for servers
                     that do not support it
-Status:             Suspended
+Status:             Closed
 Type:               Feature/Change Request
 Package:            OpenSSL related
 Operating System:   Linux (Ubuntu)
 PHP Version:        5.3.3
 Assigned To:        aharvey
 Block user comment: N
 Private report:     N

 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Merged to 5.3.


Previous Comments:
------------------------------------------------------------------------
[2010-12-13 09:29:45] ahar...@php.net

Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&revision=306335
Log: MFH: implement FR #53447 (Cannot disable SessionTicket extension
for servers
that do not support it). Includes Tony's subsequent commit to fix a
segfault.

------------------------------------------------------------------------
[2010-12-03 10:34:46] ahar...@php.net

Implemented on trunk via a no_ticket SSL context option. This is a

reasonable candidate for 5.3, but I'm not going to push this through

while we're in the midst of a release cycle, so I'll suspend this for

now and come back to it once 5.3.4 is out.

------------------------------------------------------------------------
[2010-12-03 10:34:37] ahar...@php.net

Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&revision=305936
Log: Implemented FR #53447 (Cannot disable SessionTicket extension for
servers that
do not support it).

I haven't written a test due to the need for such a test to have a HTTPS
server
available which mishandles SessionTicket requests; it's likely that
server
administrators will gradually fix this either intentionally or through
OpenSSL
upgrades. That said, if there's a great clamoring for a test, I'll work
one up.

------------------------------------------------------------------------
[2010-12-02 07:39:13] clint at ubuntu dot com

Description:
------------
This bug originated here:



https://bugs.launchpad.net/ubuntu/+source/php5/+bug/592442



As noted in the bug discussion, servers that do not properly support the


SessionTicket extension added in openssl 0.9.8n and later will produce
an error.



Users should have the ability to disable this extension, much like the
openssl 

s_client utility does by passing -no_ticket.



With the test script below, if php is compiled against openssl < 0.9.8n
(such as 

0.9.8g) will print the actual HTTP result on all three servers, but with
>= 

0.9.8n, will fail with SSL errors.

Test script:
---------------
<?php



$urls = array("https://cas.ucdavis.edu/login";,
"https://server.db.kvk.nl/";, "https://gmail.com/";);



foreach ($urls as $url) {

        $fp = fopen($url, 'r');

        print "$url - ";

        if ($fp === FALSE) {

                print "FAIL\n";

        } else {

                $data = stream_get_contents($fp);

                print "OK ". strlen($data)." bytes\n";

        }

        fclose($fp);

}



Expected result:
----------------
https://cas.ucdavis.edu/login - OK 4796 bytes



Warning: fopen(https://server.db.kvk.nl/): failed to open stream: HTTP
request 

failed! HTTP/1.1 403 Forbidden

 in /home/clint/test.php on line 6

https://server.db.kvk.nl/ - FAIL



Warning: fclose(): supplied argument is not a valid stream resource in 

/home/clint/test.php on line 14

https://gmail.com/ - OK 19059 bytes



Actual result:
--------------
# php test.php                                                          
               

PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error
messages:

error:140773F2:SSL routines:func(119):reason(1010) in 

/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6

PHP Warning:  fopen(): Failed to enable crypto in 

/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6

PHP Warning:  fopen(https://cas.ucdavis.edu/login): failed to open
stream: 

operation failed in /home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php
on line 

6

https://cas.ucdavis.edu/login - FAIL

PHP Warning:  fclose() expects parameter 1 to be resource, boolean given
in 

/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 14

PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error
messages:

error:1407741A:SSL routines:func(119):reason(1050) in 

/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6

PHP Warning:  fopen(): Failed to enable crypto in 

/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6

PHP Warning:  fopen(https://server.db.kvk.nl/): failed to open stream:
operation 

failed in /home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 6

https://server.db.kvk.nl/ - FAIL

PHP Warning:  fclose() expects parameter 1 to be resource, boolean given
in 

/home/clint/pkg/php5/bzr/natty-php-ssl-fix/test.php on line 14

https://gmail.com/ - OK 19061 bytes




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=53447&edit=1