Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107988
Return-Path: <webdevxp.com@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97525 invoked from network); 5 Jan 2020 13:42:27 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 5 Jan 2020 13:42:27 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1B9011804E6
	for <internals@lists.php.net>; Sun,  5 Jan 2020 03:47:06 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	NORMAL_HTTP_TO_IP,NUMERIC_HTTP_ADDR,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <webdevxp.com@gmail.com>
Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  5 Jan 2020 03:47:02 -0800 (PST)
Received: by mail-ot1-f48.google.com with SMTP id d7so63164786otf.5
        for <internals@lists.php.net>; Sun, 05 Jan 2020 03:47:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=wwUe37tlvAuQ910lrvk7ugadGMLqMzHLCYCIK0WTBNQ=;
        b=iQKks09SreVVSvI7139TSyvS2eAGJxpe81Z8LT0tzUZHPjDngV+/dZlSsMi7ynJNPp
         udN32JVHEE7tIATZ7AKQwhZ7wqQ6FkUpbho6YF0kjChkQGxobPugrX7jU6D00FzJqQn8
         Yvj1p0q7cMij6N+wZeT3yZErRN5zuxxYF0YqZ4XU0f/7cSisOfl6gWQBtCeGuoXKbiOJ
         oLCCVhgJnOR30yNA4JyksSU+i5erhRjXOqRkg36qQu8GBVgOkc8uR/A4x23KslJcIwdG
         qhyRfpuriIC6MFXA00dwFgieZKPaoy/1Bd4EI3TpXdZmcv0fvv8VAg3JaBZ9ixSB93b+
         A3ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=wwUe37tlvAuQ910lrvk7ugadGMLqMzHLCYCIK0WTBNQ=;
        b=VBuY/verV8UgSVh46Rhg3gKhkUTwCMtA0IabM9k3ib5B4CQcUNnf28ebyPkOEAjXi3
         cZyR2qytzgpwdQV3MoeUZobL7RRtp4RxjRVwg0ibC6cD92FHrAWyZujc1mQLW1/eq+hD
         0/Ql+Vc20EEKMPLFv9fj0GpRQbdVrIinEplwt8p4M0ufo86SjZ8zhwUZd8LKw8BzJA0C
         8A0J7H6zgiTJAfHi4uki8tSyiVKunpEiaT4Qh/nG1cng+EKoePrrul6iiAJqkUbOT/Cz
         569Cv1FrgaOeSM7vf43vROYpQRE3WhXmPMU27ta/wJizcOccADGKlNlDhGifqZU8M5Di
         3bJg==
X-Gm-Message-State: APjAAAXHRLOtVXotOv3VdFRqwO7ZziL8f9p34xEcvLvU47XFW2BeCI1+
	S7WM4eTQA9hMwnHO9AxaUiCMhUxJcUxtyYrDIAr9Tla+
X-Google-Smtp-Source: APXvYqxTxK9LJ2nT5kA8F+/PkcF8ghwK7ah2ZzuX0Y4VBrJaaXBrXFVFhwxs9N+AEvVN8Rzx5dpw3E69RMaWQrUh96g=
X-Received: by 2002:a9d:8f1:: with SMTP id 104mr102798383otf.107.1578224820046;
 Sun, 05 Jan 2020 03:47:00 -0800 (PST)
MIME-Version: 1.0
Date: Sun, 5 Jan 2020 18:46:49 +0700
Message-ID: <CAP=w73Ut0Mt705XveLY=CFL52haBKTQk7+oxWnjU=sjBbCq5vA@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000c65006059b631906"
Subject: [PHP-DEV] SSL stream context 'local_pk' issue?
From: webdevxp.com@gmail.com (Kosit Supanyo)

--000000000000c65006059b631906
Content-Type: text/plain; charset="UTF-8"

Hi Internals

First of all, Happy new year!

I've found that everytime `stream_socket_accept()` accepts a SSL/TLS
connection, it always read 'local_cert' and 'local_pk' files despite being
read and verified before by `stream_socket_server()`. There's no problem
with 'local_cert' but 'local_pk' because private key files usually have
root 0600 permission. And that may be an issue because you must either run
PHP as root or change permission of private key files (I'm doing the latter
as workaround) in order to make `stream_socket_accept()` work. Is it
possible to make `stream_socket_server()` keep private key file in memory?
(Like nginx does, I think)

Here's a simple scenario with the issue:

<?php
$server = stream_socket_server(
    'tls://0.0.0.0:443',
    $errno,
    $errstr,
    STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,
    stream_context_create([
        'ssl' => [
            'local_cert' => '/path/to/cert',
            'local_pk' => '/path/to/pk',
        ],
    ]),
);

$num_cpus = (int)shell_exec('nproc');

for ($i = 0; $i < $num_cpus; $i++) {
    // fork a worker process
    $pid = pcntl_fork();

    if ($pid === 0) {
        // change user/group of forked process to nobody
        posix_setgid(65534);
        posix_setuid(65534);

        while (true) {
            // This won't work because nobody cannot read private key
            $client = stream_socket_accept($server);

            if ($client) {
                // do something with connections
                // ...
            }
        }
    }
}

// master waits for children to exit
// ...

Another feature that I've found `stream_socket_accept()` lacks is TLS
session resumption. Is there someone working on this feature?

I apologize in advance if this topic had been raised before or if I
misunderstood something.

Cheers

Kosit

--000000000000c65006059b631906--