Edit report at http://bugs.php.net/bug.php?id=54992&edit=1
ID: 54992
User updated by: laird_ngrps at dodo dot com dot au
Reported by: laird_ngrps at dodo dot com dot au
Summary: Stream not closed and error not returned when SSL
CN_match fails
Status: Open
Type: Bug
Package: Streams related
Operating System: Linux
PHP Version: 5.3.6
Block user comment: N
Private report: N
New Comment:
I should probably add that when I provide the correct CN, this is the output
that
I get both pre-patching and post-patching:
SENT:: A test message
RCVD:: Hello from the server.<EOF>
Previous Comments:
------------------------------------------------------------------------
[2011-06-04 14:10:04] laird_ngrps at dodo dot com dot au
Description:
------------
When the CN_match stream context option is specified for an SSL stream opened
with stream_socket_client(), if the CN supplied does not match, then the stream
connection does not fail and does not return an error as it should.
After the supplied patch was applied, the stream socket returned an error as
expected; the output then was (I haven't delved deep enough into the code to
work out how to set a meaningful error message and error number with the patch;
all values in square brackets are my edits for privacy; line 17 is that of the
call to stream_socket_client()):
Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match
expected CN=`TempCert.bad' in [filepath] on line 17
Warning: stream_socket_client(): Failed to enable crypto in [filepath] on line
17
Warning: stream_socket_client(): unable to connect to ssl://[ipaddress]:[port]
(Unknown error) in [filepath] on line 17
SSL socket connection error: "" (0)
--------
I've checked and this bug seems to also apply to the current versions of the
PHP
source in the subversion repositories.
Test script:
---------------
/* First set $server, $port and $cafile */
$context = stream_context_create(array('ssl' => array(
'verify_peer' => true,
'cafile' => $cafile,
'CN_match' => 'TempCert.bad',
)));
$sock = stream_socket_client("ssl://$server:$port", $errno, $errstr, 5,
STREAM_CLIENT_CONNECT, $context);
if ($sock === false) die("SSL socket connection error: \"$errstr\"
($errno)\n");
$msg = "A test message";
if (fputs($sock, "$msg<EOF>\n") === false) echo "fputs returned
false\n";
else {
echo "SENT:: $msg\n";
$line = fgets($sock);
echo "RCVD:: $line\n";
}
fclose($sock);
Expected result:
----------------
SSL socket connection error: "[some error message indicating that the CN failed
to match]" ([some error number])
Actual result:
--------------
Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match
expected CN=`TempCert.bad' in [filepath] on line 17
SENT:: A test message
RCVD:: [a bunch of random characters, different each time]
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=54992&edit=1
