Edit report at http://bugs.php.net/bug.php?id=54992&edit=1
ID: 54992
Updated by: cataphr...@php.net
Reported by: laird_ngrps at dodo dot com dot au
Summary: Stream not closed and error not returned when SSL
CN_match fails
-Status: Assigned
+Status: Closed
Type: Bug
Package: Streams related
Operating System: Linux
PHP Version: 5.3.6
Assigned To: cataphract
Block user comment: N
Private report: N
New Comment:
Fixed. Thank you.
Previous Comments:
------------------------------------------------------------------------
[2011-06-08 02:23:04] cataphr...@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&revision=311906
Log: - Fixed bug #54992: Stream not closed and error not returned when SSL
CN_match
fails.
------------------------------------------------------------------------
[2011-06-04 14:20:35] laird_ngrps at dodo dot com dot au
I should probably add that when I provide the correct CN, this is the output
that
I get both pre-patching and post-patching:
SENT:: A test message
RCVD:: Hello from the server.<EOF>
------------------------------------------------------------------------
[2011-06-04 14:10:04] laird_ngrps at dodo dot com dot au
Description:
------------
When the CN_match stream context option is specified for an SSL stream opened
with stream_socket_client(), if the CN supplied does not match, then the stream
connection does not fail and does not return an error as it should.
After the supplied patch was applied, the stream socket returned an error as
expected; the output then was (I haven't delved deep enough into the code to
work out how to set a meaningful error message and error number with the patch;
all values in square brackets are my edits for privacy; line 17 is that of the
call to stream_socket_client()):
Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match
expected CN=`TempCert.bad' in [filepath] on line 17
Warning: stream_socket_client(): Failed to enable crypto in [filepath] on line
17
Warning: stream_socket_client(): unable to connect to ssl://[ipaddress]:[port]
(Unknown error) in [filepath] on line 17
SSL socket connection error: "" (0)
--------
I've checked and this bug seems to also apply to the current versions of the
PHP
source in the subversion repositories.
Test script:
---------------
/* First set $server, $port and $cafile */
$context = stream_context_create(array('ssl' => array(
'verify_peer' => true,
'cafile' => $cafile,
'CN_match' => 'TempCert.bad',
)));
$sock = stream_socket_client("ssl://$server:$port", $errno, $errstr, 5,
STREAM_CLIENT_CONNECT, $context);
if ($sock === false) die("SSL socket connection error: \"$errstr\"
($errno)\n");
$msg = "A test message";
if (fputs($sock, "$msg<EOF>\n") === false) echo "fputs returned
false\n";
else {
echo "SENT:: $msg\n";
$line = fgets($sock);
echo "RCVD:: $line\n";
}
fclose($sock);
Expected result:
----------------
SSL socket connection error: "[some error message indicating that the CN failed
to match]" ([some error number])
Actual result:
--------------
Warning: stream_socket_client(): Peer certificate CN=`TempCert' did not match
expected CN=`TempCert.bad' in [filepath] on line 17
SENT:: A test message
RCVD:: [a bunch of random characters, different each time]
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=54992&edit=1
