Skip to content

Bug 70195 - let FTP-S re-use the SSL session for the data connection.#2072

Closed
singerb wants to merge 1 commit intophp:PHP-5.6from
singerb:issue-70195
Closed

Bug 70195 - let FTP-S re-use the SSL session for the data connection.#2072
singerb wants to merge 1 commit intophp:PHP-5.6from
singerb:issue-70195

Conversation

@singerb
Copy link
Contributor

@singerb singerb commented Aug 10, 2016

Many FTP-S servers now require FTP clients to re-use the SSL session from the
control connection on the data connection, to prove that the same entity
controls both connections. This patch updates PHP's FTP-S client code to allow
that possibility.

@singerb
Bug 70195 - let FTP-S re-use the SSL session for the data connection.
05a351d 
Many FTP-S servers now require FTP clients to re-use the SSL session from the
control connection on the data connection, to prove that the same entity
controls both connections. This patch updates PHP's FTP-S client code to allow
that possibility.
@KalleZ
Copy link
Member

KalleZ commented Aug 10, 2016

Hi, does this issue also apply to the ftp:// wrapper in ext/standard?

@singerb
Copy link
Contributor Author

singerb commented Aug 10, 2016

This fix does not apply to that wrapper; that uses the SSL implementation in ext/openssl/xp_ssl.c for the SSL support. It does appear that the wrapper can pass a session stream down, and it looks like xp_ssl.c will copy the session ID to the new stream. I can run some tests to see if that's sufficient to satisfy FTP-S servers with this requirement, but I suspect not. If not, updating that code would be a larger undertaking requiring even more review.

@KalleZ
Copy link
Member

KalleZ commented Aug 10, 2016

Thank you for your clarification. The reason I ask is that I remember seeing a recent bug that only affected one of those two, as we have different implementations for ext/ftp and ftp:// (in ext/standard/ftp_fopen_wrapper.c) so it would be nice with some unification.

cc @Tyrael as the 5.6 RM

@vhuk
Copy link
Contributor

vhuk commented Aug 11, 2016

@KalleZ, I just fixed couple of issues with the TLS/SSL side of the ftp:// wrapper in ext/standard and agree that some unification is needed.

More related to this PR, ext/standard/ftp_fopen_wrapper.c doesn't support SSL session re-use for data channel with AUTH TLS. Based on the comments it looks like there is an attempt for this with AUTH SSL:

/* we must reuse the old SSL session id */
/* if we talk to an old ftpd-ssl */

In its current form ext/standard ftp:// wrapper fails to connect to many ftps servers running their standard configs. As an example, ftp:// wrapper fails with both ProFTPD and vsftpd when the servers run their out of the box Debian configs with TLS enabled. Both can be fixed by changing the server config not not require data channel session reuse.

@nikic
Copy link
Member

nikic commented Aug 11, 2016

Patch looks good to me. One question I have is whether we can drop the SSL_copy_session_id in the old_ssl branch now?

Do we have any possibility of testing this? I.e. enforcing in the ext/ftp server.inc that control and data use the same connection?

@singerb
Copy link
Contributor Author

singerb commented Aug 11, 2016

It seems like there's currently no ability to retrieve the SSL session information from PHP, unless I've missed it somewhere. If a test is desired, would the capture_session_meta/session_meta options(s) be an appropriate place to include that information?

@nikic
Copy link
Member

nikic commented Aug 13, 2016

Merged via dfadc5a, thanks!

It would still be nice to expose the necessary information (session_meta seems a reasonable place), but that's a separate change :)

@nikic nikic closed this Aug 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@singerb @KalleZ @vhuk @nikic