From: mkoppa...@php.net
Operating system: Any
PHP version: 5.2.9
PHP Bug Type: Streams related
Bug description: SSL streams fail if error stack contains items
Description:
------------
In ext/openssl/openssl.c : php_openssl_parse_config might push errors
into OpenSSL error stack in case the keys requested by the application are
not found from the openssl.cnf file. This is fine normally but it seems
that if error stack contains such an error all future calls to
SSL_CTX_use_certificate_chain_file fail.
This is a nasty side-effect since SSL_CTX_use_certificate_chain_file is
used when opening streams that authenticate with client cert.
I haven't tested if the SSL_CTX_use_certificate_chain_file fails with
other errors than missing config keys. Probably does.
The simple fix which fixes the issue seems to be the following:
Index: openssl.c
===================================================================
RCS file: /repository/php-src/ext/openssl/openssl.c,v
retrieving revision 1.180
diff -u -r1.180 openssl.c
--- openssl.c 29 Mar 2009 23:32:17 -0000 1.180
+++ openssl.c 16 Apr 2009 16:42:35 -0000
@@ -4674,6 +4674,10 @@
char resolved_path_buff[MAXPATHLEN];
if (VCWD_REALPATH(certfile, resolved_path_buff)) {
+ /* SSL_CTX_use_certificate_chain_file seems to be
failing if error
+ stack is not cleared before using cert chain
file */
+ ERR_clear_error();
+
/* a certificate to use for authentication */
if (SSL_CTX_use_certificate_chain_file(ctx,
resolved_path_buff) != 1)
{
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Unable to set local cert
chain file `%s'; Check that your cafile/capath settings include details of
your certificate and its issuer", certfile);
Reproduce code:
---------------
<?php
$url = 'https://someurl.example.com/';
$crt = '/tmp/test.pem';
$context = stream_context_create();
stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'local_cert', $crt);
/* This call causes the failure */
openssl_pkey_new();
var_dump(file_get_contents($url, 0, $context));
/* The last error shows missing conf key warning */
echo openssl_error_string();
?>
Expected result:
----------------
No errors, everything works.
Actual result:
--------------
SSL_CTX_use_certificate_chain_file returns failure and the call fails.
--
Edit bug report at http://bugs.php.net/?id=47991&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=47991&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=47991&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=47991&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=47991&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=47991&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=47991&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=47991&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=47991&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=47991&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=47991&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=47991&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=47991&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=47991&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=47991&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47991&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=47991&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=47991&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=47991&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=47991&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=47991&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=47991&r=mysqlcfg
