php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51647 Certificate file without private key (pk in another file) doesn't work
Submitted: 2010-04-23 15:38 UTC Modified: 2020-04-09 09:47 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: [email protected] Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.3SVN-2010-04-23 (SVN) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2010-04-23 15:38 UTC] [email protected] 
Description:
------------
If a user has a certificate file (pem) with only the public key, and the private key in another file he cannot use them by pushing down to the stream by using a context. The user is forced to put keys in the same file, which is not always possible.

Test script:
---------------
From the sources:
		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
			/* a certificate to use for authentication */
			if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
				return NULL;
			}

			if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
				return NULL;
			}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-23 15:40 UTC] [email protected]
-Status: Open +Status: Verified -Assigned To: +Assigned To: andrey
 [2010-04-23 15:54 UTC] [email protected] 
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&revision=298374
Log: Fix for bug #51647 Certificate file without private key (pk in another file) doesn't work
 [2010-04-23 15:56 UTC] [email protected]
-Status: Verified +Status: Closed
 [2010-04-23 15:56 UTC] [email protected] 
Addressed in 5.3.3
 [2010-04-23 16:30 UTC] [email protected]
-Status: Closed +Status: Assigned -Assigned To: andrey +Assigned To: pajoye
 [2010-04-23 16:30 UTC] [email protected] 
To open a bug, commit the same wrong thing and close the bug does not solve anything. I mailed you what I'm expecting.
 [2010-04-23 17:15 UTC] [email protected] 
You need to start the MySQL server with the following options :
ssl-ca=/path/to/cacert.pem
ssl-cert=/path/to/server-cert.pem
ssl-key=/path/to/server-key.pem

All files you can find here:
http://www.hristov.com/andrey/projects/php_stuff/certs/
 [2010-04-23 17:18 UTC] [email protected] 
Pierre, I haven't committed the same wrong thing. I thought you can read emails/diffs, but somehow I lost this feeling.
 [2010-04-23 17:28 UTC] [email protected] 
Here is the new patch, already committed, also to be found in the commit email.

Index: ext/openssl/openssl.c
===================================================================
--- ext/openssl/openssl.c	(revision 298371)
+++ ext/openssl/openssl.c	(working copy)
@@ -4445,6 +4445,7 @@
 		EVP_PKEY *key = NULL;
 		SSL *tmpssl;
 		char resolved_path_buff[MAXPATHLEN];
+		const char * private_key = NULL;
 
 		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
 			/* a certificate to use for authentication */
@@ -4452,10 +4453,21 @@
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
 				return NULL;
 			}
+			GET_VER_OPT_STRING("local_pk", private_key);
 
-			if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
-				return NULL;
+			if (private_key) {
+				char resolved_path_buff_pk[MAXPATHLEN];
+				if (VCWD_REALPATH(private_key, resolved_path_buff_pk)) {
+					if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff_pk, SSL_FILETYPE_PEM) != 1) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff_pk);
+						return NULL;
+					}
+				}
+			} else {
+				if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
+					return NULL;
+				}		
 			}
 
 			tmpssl = SSL_new(ctx);
 [2014-01-30 17:46 UTC] [email protected] 
Pierre/Andrey

Are we happy that this bug is fixed? The context option that was added by the patch is not currently documented. I will be helping to update the documentation for the recent OpenSSL changes, can I include this in the docs as well?

Thanks, Chris
 [2014-03-04 18:55 UTC] [email protected] 
> The user is forced to put keys in the same file,
> which is not always possible.

I'm drawing a blank on when this would not be possible. The only thing that needs to happen in order for this to work is the concatenation of the private key and the public cert into the same file.

Are there scenarios where this isn't possible that I'm missing? Otherwise I wouldn't really consider this a bug.
 [2015-07-10 11:33 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 [2015-07-10 13:21 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 [2017-10-24 07:30 UTC] [email protected]
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2020-04-09 09:47 UTC] [email protected]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-04-09 09:47 UTC] [email protected] 
Closing, since this is fixed as of PHP 5.3.3 (IOW, the commit never had been reverted).
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Dec 26 06:00:01 2025 UTC