ID: 36445
Comment by: e at osterman dot com
Reported By: Jacek at veo dot pl
Status: Assigned
Bug Type: Sockets related
Operating System: SuSE Linux 9.1
PHP Version: 5.1.3
Assigned To: wez
New Comment:
And just to make sure we're using the same tools to test, this is the
certificate that I used to make the test above work. The pass phrase is
"comet".
-----BEGIN CERTIFICATE-----
MIIDgTCCAuqgAwIBAgIJAMgtIWVzb1oIMA0GCSqGSIb3DQEBBQUAMIGIMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2Vs
ZXMxFDASBgNVBAoTC091ciBDb21wYW55MQ0wCwYDVQQLEwRUZXN0MQwwCgYDVQQD
EwNEZXYxGzAZBgkqhkiG9w0BCQEWDGFzZEBob3N0LmNvbTAeFw0wNjA1MjYwMTM4
NTRaFw0wNzA1MjYwMTM4NTRaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC091ciBDb21w
YW55MQ0wCwYDVQQLEwRUZXN0MQwwCgYDVQQDEwNEZXYxGzAZBgkqhkiG9w0BCQEW
DGFzZEBob3N0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3mStTm74
kOQCelquoGI/WyUIOvngDdNcJGmi2xnzDpRjKfQTH/3VVDQJUwvjKcLxnBQHFg7M
nvEZrfC3LEmFajAzRKjXK5gUCQEQKqhbVsfZO+7ANq4axNldd4UgMhPeZIKr8DDt
P3pjFqFSYh/dtOq2pfDXSbstmCZ1Q3GAYDcCAwEAAaOB8DCB7TAdBgNVHQ4EFgQU
WQSzc00pkM9aCzsxKJpTYm3kwEUwgb0GA1UdIwSBtTCBsoAUWQSzc00pkM9aCzsx
KJpTYm3kwEWhgY6kgYswgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxlczEUMBIGA1UEChMLT3VyIENvbXBhbnkx
DTALBgNVBAsTBFRlc3QxDDAKBgNVBAMTA0RldjEbMBkGCSqGSIb3DQEJARYMYXNk
QGhvc3QuY29tggkAyC0hZXNvWggwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOBgQA7G/XKQ9kLTZOcVAG/IOxdn9tW38sEwHifNQ7zMSS5di1MmnD5JJWdK/s4
dzN06T1Ey5FCu2kafFzk48khZpoPsXMRF8DNBXLVSCGj4maPtEviJVjwtj3XwZjA
82a8A/Yil0+fo25zPX4I4oBcbl3bPqzVPXxsQ7myp9f7MDZcbQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E4476A175B6608B6
r0sox8H5ijuOanXwYFtIDgPti3AAuIUdy5EJG9GZbrtQHEW6HL+YxdI58Ng70t4w
EfBvcuLb7XAGsJwF65yad0vSXsYv6F+0brEefEvZX3ljxUZ3yGfHVJyEdBWJty7X
A8QpqOVVQseAST1IKeWOIT16/a9ZOgwnIhQe36y43pxBwL5tumXTM+AuWPOBW8c0
s49I8GyptttGJpcFohLsmP9Jza/fMIzYFNeuOBQ93fieCcVXBd2fWNyZVEsOU5Mi
kt5FQ9Lc9F8Wc+Mh0xiodDz6H+2yNIMC2SNu/mDSAGwDCctBZ34enFDad/eBiYW+
iTjMaqWGFs+cantSgVQ6pdZWYQd5Rsb3/Qbcfia/C1vtzWipBG7wlQCsNWwceXx/
f8hqWl5kyCxvBdH9eyRNMVJkCbFABl9tnaMGRi/UnVL68wgUvosAsdCjUrdL3x7O
i6yMBrxYjACbYslPFaG5OtgXcbacBKjsVMkcRYRyGqClgVZHICYZXhZoZTjOsgT4
L9WivT1RnozmFUMPaXbnxX4h/B3v6aSYAc4mPM6oMFTiXGJ7cLoafNw7Fxug7oeF
0+04DykzFCsLw1PmnkXP/WliQ+xidKJeKl2bR0k5MjAs0ksjelk7hAbCDjE0ct0w
LAHuvf6haClaFBa0ugL90S6BBdIQad9GRmAqZlVc5tANZleXFEY2wKUSMddIKzsm
nouipBWt3flDyYaFRtF20IYYk59z3zlqk73U/cFRkpT9SvHbxdsjTX1OvsmuhMzV
5K4+1QaBK4vePOFeEHDAkwGGqI1Wj+2lC6pxdLe3tjIzNWN1eaq59Q==
-----END RSA PRIVATE KEY-----
Previous Comments:
------------------------------------------------------------------------
[2006-05-31 21:00:04] e at osterman dot com
The below example calls stream_socket_enable_crypto on client stream
socket and on a server stream socket. It works on my version of PHP
5.1.2 just fine. So, if it doesn't work for you then, we can determine
what version of PHP5 is broken.
This is the output.
[EMAIL PROTECTED]:~/dev/examples/tls$ ./tls-server.php
1: STARTTLS
Error (if any):
2: EHLO world
As you see... no errors. It got the "EHLO world" command sent over an
TLS channel from the client just fine.
[EMAIL PROTECTED]:~/dev/examples/tls$ ./tls-client.php
1: 220 ESMTP
2: 250 STARTTLS
bool(true)
This is the code that produced the output.
Below is the code I use to make a sample TLS SMTP server. It works
perfectly on my platform and version of PHP. The output from the tests
are above.
#!/usr/bin/php5
<?php
// Hello World! SMTP TLS Server
// Tested on PHP 5.1.2-1+b1 (cli) (built: Mar 20 2006 04:17:24)
$context = stream_context_create();
// local_cert must be in PEM format
stream_context_set_option($context, 'ssl', 'local_cert',
'./server.pem');
// Pass Phrase (password) of private key
stream_context_set_option($context, 'ssl', 'passphrase', 'comet');
stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);
// Create the server socket
$server = stream_socket_server('tcp://0.0.0.0:9001', $errno, $errstr,
STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);
while(1){
if($client=stream_socket_accept($server)){
@fwrite($client,"220 ESMTP\r\n");
@fwrite($client,"250 STARTTLS\r\n");
// Client should now send STARTTLS
echo "1: " . @fgets($client);
// We start the SSL Channel
stream_socket_enable_crypto($client,true,STREAM_CRYPTO_METHOD_TLS_SERVER);
echo "Error (if any): ".openssl_error_string()."\n";
@fwrite($client,"220 ESMTP\r\n");
echo "2: " . @fgets($client);
}
}
?>
#!/usr/bin/php5
<?
$fp = fsockopen("tcp://localhost", 9001, $errno, $errstr,30);
if (!$fp) die ("Unable to connect: $errstr ($errno)");
echo "1: " . fgets($fp);
echo "2: " . fgets($fp);
fwrite($fp, "STARTTLS\r\n");
var_dump(stream_socket_enable_crypto($fp,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)
);
fwrite($fp, "EHLO world");
?>
------------------------------------------------------------------------
[2006-05-27 04:30:23] eddi at ai000 dot de
Sorry. You misconceive or misread it. Please understand difference
between server sockets and client sockets.
There are no way to set context options and to give this context
stream_socket_enable_crypto().
------------------------------------------------------------------------
[2006-05-26 18:31:48] e at osterman dot com
Eddi, you indeed appear to be correct. I was writing an SSL TCP Server,
which gave off the same error message so I assumed they were related. My
fix there did NOT work for the TLS implementation. As you mentioned, TLS
is a different way of implementing SSL, which as it stands currently in
PHP5, I aggree it appears to be broken. There is one issue with your
above example. The wrapper should be "ssl" even for "tls"
communications (but that doesn't make it work).
Wez talks more about it in http://bugs.php.net/33192.
Wez Furlong:
{{{
The context options for openssl, including tls, are all bundled under
the name "ssl". I think your code should probably look more like this:
$c = stream_context_create(array(
"ssl" => array(
"local_cert" => "sec.pem",
... other options ...
)
);
}}}
------------------------------------------------------------------------
[2006-05-26 12:28:56] eddi at ai000 dot de
May be the stream_socket_server() works fine yet, but, Erik, it is NOT
the point exactly.
SMTP services listen on an _unencrypted_ stream. An implemetation of
the extension for secure SMTP over transport layer security
(http://www.ietf.org/rfc/rfc3207.txt) needs the ability (provided by
stream_socket_enable_crypto()) to encrypting stream belated. It does
not work and this is the point.
------------------------------------------------------------------------
[2006-05-26 09:51:12] Jacek at veo dot pl
Code:
-----
<?php
$context = stream_context_create(array(
'ssl' => array(
'verify_peer' => FALSE,
'allow_self_signed' => TRUE,
'local_cert' => '/host.pem'
)
));
echo 1;
$ssl = stream_socket_server('ssl://0.0.0.0:4445', $errnum, $errstr,
STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context);
echo 2;
stream_socket_enable_crypto($ssl, TRUE,
STREAM_CRYPTO_METHOD_TLS_SERVER);
echo 3;
fclose($ssl);
?>
Result:
-------
I created combined file, as on the website, but I receive (PHP 5.1.4):
Warning: stream_socket_enable_crypto(): Unable to set private key file
`/host.pem' in /repr.php on line 15
Warning: stream_socket_enable_crypto(): failed to create an SSL handle
in /repr.php on line 15
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/36445
--
Edit this bug report at http://bugs.php.net/?id=36445&edit=1
