Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112495 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 17718 invoked from network); 14 Dec 2020 17:05:33 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 14 Dec 2020 17:05:33 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id DF8E91804F3 for ; Mon, 14 Dec 2020 08:36:16 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from smtp-in.fusiondirectory.org (smtp-in.geekview.be [195.154.20.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 14 Dec 2020 08:36:16 -0800 (PST) Received: from smtp-in.fusiondirectory.org (localhost.localdomain [127.0.0.1]) by smtp-in.fusiondirectory.org (Proxmox) with ESMTP id 74147101387 for ; Mon, 14 Dec 2020 17:36:14 +0100 (CET) Received: from smtp.fusiondirectory.org (smtp.fusiondirectory.org [195.154.20.141]) by smtp-in.fusiondirectory.org (Proxmox) with ESMTP id 3C34E10137E for ; Mon, 14 Dec 2020 17:36:14 +0100 (CET) Received: from mcmic-probook.opensides.be (63.120.199.77.rev.sfr.net [77.199.120.63]) by smtp.fusiondirectory.org (Postfix) with ESMTPSA id EC968260520 for ; Mon, 14 Dec 2020 17:36:13 +0100 (CET) Date: Mon, 14 Dec 2020 17:36:11 +0100 To: PHP Internals List Message-ID: <20201214173611.202992d1@mcmic-probook.opensides.be> Organization: FusionDirectory X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: capture_peer_cert support from stream_socket_server From: come.chilliet@fusiondirectory.org (=?UTF-8?B?Q8O0bWU=?= Chilliet) Hello, It seems that is does not work to pass option capture_peer_cert to stream_socket_server context in order to get the client certificate used i= n the TLS handshake. Is that how it is supposed to work, and is it broken? I tried the following: $context =3D stream_context_create( [ 'ssl' =3D> [ 'allow_self_signed' =3D> true, 'SNI_enabled' =3D> true, 'SNI_server_certs' =3D> ['example.com' =3D> '/path/to/cert.pem= '], 'capture_peer_cert' =3D> true, ] ] ); $socket =3D stream_socket_server( 'tcp://[::]:' . $port, $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context, ); if ($socket =3D=3D=3D false) { throw new \Exception($errstr, $errno); } else { while ($conn =3D stream_socket_accept($socket, -1, $peername)) { $tlsSuccess =3D stream_socket_enable_crypto( $conn, true, STREAM_CRYPTO_METHOD_TLS_SERVER ); if ($tlsSuccess !=3D=3D true) { fclose($conn); continue; } var_dump(stream_context_get_options($conn)); } } No peer_certificate option is created when a client connects with a certifi= cate. Despite what https://www.php.net/manual/en/context.ssl.php says. This is a problem for implementing client certificate support into Gemini servers written in PHP, such as https://tildegit.org/sumpygump/orbit and https://framagit.org/MCMic/gemini-server C=C3=B4me