From: marco at csita dot unige dot it Operating system: PHP version: 5.3.18 Package: Streams related Bug Type: Feature/Change Request Bug description:Incorrect handle of HTTPS request through proxy using SNI
Description: ------------ The http wrapper allow streams to access to remote file using the HTTPS (HTTP over SSL/TLS) protocol and supports passing request through HTTP proxy. Unfortunately, SSL-related options and HTTP proxy option are handled by different contexts, unaware each of the other. Thus, from the point of view of SSL, the stream is connected to the proxy, while from the point of view of HTTP the stream is connected to the remote web server. Using default setting, this produces a mismatch between the value in the SNI_server_name indicator, which reports the proxy host name, and the HTTP header Host:, which reports the web server host name. As result, web servers with support for SNI handle incorrectly the request or (e.g. Apache) raise a 400 error. Test script: --------------- Suppose you need to access to the remote URL https://www.example.com/ using the proxy proxy.example.com This is the code fragment: $path = 'https://www.example.com/'; $opts = array( 'http' => array( 'method' => 'GET', 'proxy' => 'tcp://proxy.example.com:8080', ) ); $context = stream_context_create($opts); $fp = fopen($path, 'r', false, $context); $meta = stream_get_meta_data($fp); print_r($meta); fclose($fp); Expected result: ---------------- It would advisable that the stream module could detect and handle automatically this situation. A workaround is to explicitly set the web server host name in the SNI field: $path = 'https://www.example.com/'; $hostname = parse_url($path, PHP_URL_HOST); $opts = array( 'http' => array( 'method' => 'GET', 'proxy' => 'tcp://proxy.example.com:8080', ), 'ssl' => array( 'SNI_server_name' => $hostname, 'SNI_enabled' => TRUE, ) ); Actual result: -------------- If the web server is an Apache httpd 2.2.12 or later , it results: Array ( [wrapper_data] => Array ( [0] => HTTP/1.1 400 OK ... with a line such as: [Thu Nov ...] [error] Hostname proxy.example.com provided via SNI and hostname www.example.com provided via HTTP are different in the error log of the web server. The behaviour of other web server implementations can vary. If you have not an access to a Apache web server configured to use SNI, you can emulate a web server using a recent OpenSSL with self-signed certificates and starting with command: C:\>openssl s_server -key server.key -cert server.crt -accept 8443 -www -tlsextdebug The value in the SNI field will be well recognizable in the dump. -- Edit bug report at https://bugs.php.net/bug.php?id=63519&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=63519&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=63519&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=63519&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=63519&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=63519&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=63519&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=63519&r=needscript Try newer version: https://bugs.php.net/fix.php?id=63519&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=63519&r=support Expected behavior: https://bugs.php.net/fix.php?id=63519&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=63519&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=63519&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=63519&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63519&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=63519&r=dst IIS Stability: https://bugs.php.net/fix.php?id=63519&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=63519&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=63519&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=63519&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=63519&r=mysqlcfg
