#38417 [Com]: SSL Handshake Timeout

[eli at electric-cloud dot com]

 ID:               38417
 Comment by:       eli at electric-cloud dot com
 Reported By:      ctm at etheon dot net
 Status:           Open
 Bug Type:         OpenSSL related
 Operating System: Windows NT
 PHP Version:      5.1.4
 New Comment:

We are seeing this only when the SSL page that we are opening a socket
to is also on our local machine - the one that running Apache/PHP.


Previous Comments:
------------------------------------------------------------------------

[2006-08-10 18:45:47] ctm at etheon dot net

Description:
------------
When using either the stream_socket_client function (in
STREAM_CLIENT_CONNECT mode) or the stream_socket_enable_crypto function
(if you connected in ASYNC mode), on some IPs, then SSL Handshake will
take sometimes up to 10 minutes to complete, and in those cases, often
fails anyway. It also uses as much CPU usage as it can (up to 99%).

Basically, having a timeout would be nice.

Reproduce code:
---------------
$ip = "68.142.72.152" ;

   $context = stream_context_create ( array ( 'ssl' => array (
'verify_peer' => false,
                                                               
'capture_peer_cert' => true ),
                                            )
                                    ) ;

   $socket = stream_socket_client ( "ssl://" . $ip . ":443", 
                                    $errno, 
                                    $errstr, 
                                    15,
                                    
STREAM_CLIENT_CONNECT|STREAM_CLIENT_ASYNC_CONNECT,
                                    $context ) ;

stream_socket_enable_crypto ( $socket, true,
STREAM_CRYPTO_METHOD_SSLv23_CLIENT ) ;

print "The end.\r\n" ;

Expected result:
----------------
The end.

Actual result:
--------------
Well, the result is pretty much the same, the only problem is instead
of taking roughly 10 to 30 seconds, it takes about 10 minutes and uses
99% of the CPU.


This is, I think, the problem in the source code (ext/openssl/xp_ssl.c)
:

                do {
                        if (sslsock->is_client) {
                                n = SSL_connect(sslsock->ssl_handle);
                        } else {
                                n = SSL_accept(sslsock->ssl_handle);
                        }

                        if (n <= 0) {
                                retry = handle_ssl_error(stream, n TSRMLS_CC);
                        } else {
                                break;
                        }
                } while (retry);

I know the SSL Handshake fails (since n is less than equal to 0),
though I'm not sure if the CPU usage and the long timeout are due to a
near infinite loop or something akin to this. I've checked the Unix man
pages on this, but I'm not sure which error it is exactly, since
openssl_error_string() doesn't return anything. And I can read or write
just fine, so I don't think it's SSL_ERROR_WANT_READ or
SSL_ERROR_WANT_WRITE, though I'm not sure about this.




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=38417&edit=1