Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108021 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 94436 invoked from network); 7 Jan 2020 10:10:26 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 7 Jan 2020 10:10:26 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id AE1DD1804A8 for ; Tue, 7 Jan 2020 00:15:30 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 7 Jan 2020 00:15:30 -0800 (PST) Received: by mail-ot1-f43.google.com with SMTP id a15so75323824otf.1 for ; Tue, 07 Jan 2020 00:15:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=0MrmMX3bbbLWyuwseRzO4UvB/6Pg+bjO4YJhyjQBMtA=; b=DXDSxFR2il4D0EylaferqjYoM0v1M4Bups1JvFnkEnjTdKvSSzPYUzzDZEeZXuXVRl yY51QKOTovnV6iFfVo0B/zSZDy805I+31KZsQc9eakIkcBf36A/fDMiAAMr1N45iVYBT w3QXK6BOd0+OvXE960s5bc8M12C5ttNgrmo+xEN+whLy2pxbUY7/hAibS/HUoOfxj2L+ 9T9OVvJnSlVJJ3eOgsqOUrZ8ZrBT+wfjPWu8h8luqN/SA80nuhOI4h5E0mFt8Dlngtn9 PgxrlIIVRnFhOe6sxcZjG6Ms2bQksXudw3QP2QO6u4BbpXtsDgdcIt/k1CybOL2wXpJ1 LVPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=0MrmMX3bbbLWyuwseRzO4UvB/6Pg+bjO4YJhyjQBMtA=; b=PGIlczuAyDfnGRrXPJ3Bx3XaEMDSqc7FZlqcIqH4LHA2y/HNPuz7LL6I4nMSkMTFPk dIqOVUyKWV2XHeB6kBar+EgJO1MIo6/IwPeKS9JPPqdeQ7ReOjDF5aaUgFGp3s+POUtL b+qNF6Gb01jm1DcTbwyBHOtG8JgkFl1NdJkv0g0F/eE6AkO5xxEkhu5oGq07LuU2hy+z cEEz3Hi8uqMdKsiZ9fZpvmb0Kty0g0AXwJJynvJTlybLgqTD8idhYboeGK5RClAyOHEk XGkLRgrLu6g7znFZiK1LE+Q7+MT9mFaN6aKsYTEVgw/+DO4Ekz5lYuBEHIz5Jnfnhp3v mxrQ== X-Gm-Message-State: APjAAAV/xf41RzuEnJifjrI27po8nlqbsBfo0smYMHo4eM/Yyytyxt4b nsrNbne7oUnBoHfF8H5FLbMNbv0xz9zMoMF4pNUxyVpl X-Google-Smtp-Source: APXvYqzEjjQ2lLaily6+lJ48YemhNDILX93q2VjaTpNqL6cO6nUOTFai/BdperpyuJfe8M1hXN0xbPwWuJg0b8/myxQ= X-Received: by 2002:a9d:4692:: with SMTP id z18mr117087584ote.163.1578384926671; Tue, 07 Jan 2020 00:15:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 7 Jan 2020 15:15:17 +0700 Message-ID: To: Thomas Hruska , PHP internals Content-Type: multipart/alternative; boundary="000000000000df8708059b88605b" Subject: Re: [PHP-DEV] SSL stream context 'local_pk' issue? From: webdevxp.com@gmail.com (Kosit Supanyo) --000000000000df8708059b88605b Content-Type: text/plain; charset="UTF-8" Hi Thomas I'm sad to hear that. I don't know much about security but I've implemented a simple PHP TLS web server (only for dynamic contents, static contents still use nginx) for my project and have been tested with SSL Labs tool, it gave me A+ score and reported no security issues (except for session resumption which is not security thing). The reason I've tried to use PHP as TLS web server because it outperforms nginx+PHP-FPM and even swoole on my HelloWorld benchmark (6 - 7x faster than nginx+PHP-FPM and 2 - 3x faster than swoole). Is it really bad to use PHP (with standard API) as TLS web server? Should I give up what I'm doing? Cheers Kosit On Sun, Jan 5, 2020 at 8:42 PM Thomas Hruska wrote: > On 1/5/2020 4:46 AM, Kosit Supanyo wrote: > > Hi Internals > > > > First of all, Happy new year! > > > > I've found that everytime `stream_socket_accept()` accepts a SSL/TLS > > connection, it always read 'local_cert' and 'local_pk' files despite > being > > read and verified before by `stream_socket_server()`. There's no problem > > with 'local_cert' but 'local_pk' because private key files usually have > > root 0600 permission. And that may be an issue because you must either > run > > PHP as root or change permission of private key files (I'm doing the > latter > > as workaround) in order to make `stream_socket_accept()` work. Is it > > possible to make `stream_socket_server()` keep private key file in > memory? > > (Like nginx does, I think) > > > > Another feature that I've found `stream_socket_accept()` lacks is TLS > > session resumption. Is there someone working on this feature? > > > > I apologize in advance if this topic had been raised before or if I > > misunderstood something. > > > > Cheers > > > > Kosit > > IMO, people should not write TLS servers in PHP but proxy them from > Nginx. For one thing, PHP doesn't have a way to pass > SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ to userland. That alone > makes it impossible to write a valid TLS server in PHP. > > Proxying requests from a properly hardened server, in general, also > affords some additional security defense against attack by at least > fully normalizing the TCP stack prior to connection. For example, prior > to 7.4, TCP servers written in PHP were vulnerable to DoS-attacks via a > badly written fwrite() call. > > -- > Thomas Hruska > CubicleSoft President > > I've got great, time saving software that you will find useful. > > http://cubiclesoft.com/ > > And once you find my software useful: > > http://cubiclesoft.com/donate/ > --000000000000df8708059b88605b--