SSL stream context 'local_pk' issue?

Hi Internals

First of all, Happy new year!

I've found that everytime stream_socket_accept() accepts a SSL/TLS
connection, it always read 'local_cert' and 'local_pk' files despite being
read and verified before by stream_socket_server(). There's no problem
with 'local_cert' but 'local_pk' because private key files usually have
root 0600 permission. And that may be an issue because you must either run
PHP as root or change permission of private key files (I'm doing the latter
as workaround) in order to make stream_socket_accept() work. Is it
possible to make stream_socket_server() keep private key file in memory?
(Like nginx does, I think)

Here's a simple scenario with the issue:

<?php
$server = stream_socket_server(
'tls://0.0.0.0:443',
$errno,
$errstr,
STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,
stream_context_create([
'ssl' => [
'local_cert' => '/path/to/cert',
'local_pk' => '/path/to/pk',
],
]),
);

$num_cpus = (int)shell_exec('nproc');

for ($i = 0; $i < $num_cpus; $i++) {
// fork a worker process
$pid = pcntl_fork();

if ($pid === 0) {
    // change user/group of forked process to nobody
    posix_setgid(65534);
    posix_setuid(65534);

    while (true) {
        // This won't work because nobody cannot read private key
        $client = stream_socket_accept($server);

        if ($client) {
            // do something with connections
            // ...
        }
    }
}

}

// master waits for children to exit
// ...

Another feature that I've found stream_socket_accept() lacks is TLS
session resumption. Is there someone working on this feature?

I apologize in advance if this topic had been raised before or if I
misunderstood something.

Cheers

Kosit

Hi Thomas

I'm sad to hear that. I don't know much about security but I've implemented
a simple PHP TLS web server (only for dynamic contents, static contents
still use nginx) for my project and have been tested with SSL Labs tool, it
gave me A+ score and reported no security issues (except for session
resumption which is not security thing). The reason I've tried to use PHP
as TLS web server because it outperforms nginx+PHP-FPM and even swoole on
my HelloWorld benchmark (6 - 7x faster than nginx+PHP-FPM and 2 - 3x faster
than swoole). Is it really bad to use PHP (with standard API) as TLS web
server? Should I give up what I'm doing?

Cheers

Kosit

On Sun, Jan 5, 2020 at 8:42 PM Thomas Hruska thruska@cubiclesoft.com
wrote:

Hi Internals

First of all, Happy new year!

I've found that everytime stream_socket_accept() accepts a SSL/TLS
connection, it always read 'local_cert' and 'local_pk' files despite
being
read and verified before by stream_socket_server(). There's no problem
with 'local_cert' but 'local_pk' because private key files usually have
root 0600 permission. And that may be an issue because you must either
run
PHP as root or change permission of private key files (I'm doing the
latter
as workaround) in order to make stream_socket_accept() work. Is it
possible to make stream_socket_server() keep private key file in
memory?
(Like nginx does, I think)

Another feature that I've found stream_socket_accept() lacks is TLS
session resumption. Is there someone working on this feature?

I apologize in advance if this topic had been raised before or if I
misunderstood something.

Cheers

Kosit

IMO, people should not write TLS servers in PHP but proxy them from
Nginx. For one thing, PHP doesn't have a way to pass
SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ to userland. That alone
makes it impossible to write a valid TLS server in PHP.

Proxying requests from a properly hardened server, in general, also
affords some additional security defense against attack by at least
fully normalizing the TCP stack prior to connection. For example, prior
to 7.4, TCP servers written in PHP were vulnerable to DoS-attacks via a
badly written fwrite() call.

--
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you will find useful.

http://cubiclesoft.com/

And once you find my software useful:

http://cubiclesoft.com/donate/