Server with Transport Layer Security. #35
Conversation
Change Connection::handleData to use `fread` once again so that, when it is appropriate, the data is filtered by an ssl/tls stream wrapper. Add a third argument to Server::listen which should be an array which can be passed directly to stream_context_create. If the context has an 'ssl' key then it will stream_socket_enable_crypto for connected sockets.
| if (false === $this->master) { | ||
| $message = "Could not bind to tcp://$host:$port: $errstr"; | ||
| throw new ConnectionException($message, $errno); | ||
| } | ||
| stream_set_blocking($this->master, 0); | ||
| stream_set_blocking($this->master, (int) $this->isSecure); |
There was a problem hiding this comment.
I would love to know if anybody has managed to solve the requirement for this master socket to block for secure connections.
There was a problem hiding this comment.
There is a way to do it... I don't have react specific code samples for it, however, the gist of it is to try until stream_socket_enable_crypto returns success.
$result = stream_socket_enable_crypto($this->stream, true, $crypto_method);
if ($result === 0)
return true;
if ($result === false)
return false;
$this->secure = self::STATE_ENCRYPTED;
return true;
Assume the above to be part of a member function which you keep polling until the value of secure == STATE_ENCRYPTED. You don't need to do blocking at all in this way, see documentation of stream_socket_enable_crypto. Depending on the stream_select timeout values typically doing it this way results in 1-3 cycles of polling to enable cryptography (tested on loopback interface).
Edit: you might want to look at an old closed pull request from way back when... before the repositories were shuffled around. They got the gist of this approach right.
There was a problem hiding this comment.
Thank you @CriseX, your comment was very helpful. I've added the suggested improvements to this PR.
Avoid needing to set the master server socket to block at the start of new secure connections by moving the crypto enablement from Server into a new SecureConnection. The implementation is based on [react-119] and with feedback from @CriseX. Revert changes to Connection that were made in the previous commit. Improve the selection of a default set of SSL/TLS protocols to use. [react-119]: /reactphp/reactphp/pull/119
| { | ||
| if (isset($streamContext['ssl']) && PHP_VERSION_ID < 50600) { | ||
| throw new \RuntimeException( | ||
| 'Secure connections are not available before PHP 5.6.0' |
There was a problem hiding this comment.
This is not strictly true, but I haven't been able to get it working with PHP 5.5.x using a simple HTTP server (with a select loop) and web browser. The problem seems to be that select() will permit a read of the first character (The 'G' in 'GET / HTTP/1.1') and then no more; so the http server doesn't send a response. Works fine with wget though. More work needed to work out what's going wrong.
|
Merge please |
|
Fix some bugs: boite#1 |
|
Some test cases should be added, but it deserves to be merged! |
Thanks for your hard work and filling that void 👍 If you've kept track of #24 you'll have seen that I've kept working on resolving some outstanding design issues in the meantime, before being able to file my TLS server just yesterday Most of my work for this actually went into the design, testing and documentation of this feature, whereas the implementation took mere hours. Likely because these outstanding design issues have been resolved in the meantime, I've also not encountered and of the issues you've observed. I very much value your contribution and would like to ask you to check out and/or comment on my PR so we can get any of these PRs in 👍 Happy to hear what you think about this 👍 |
For #24.
I realise there is ongoing work in this area, but I haven't seen any concrete code that's recent. So here is a contribution to that end.