Fix bug #76705 (unusable ssl => peer_fingerprint in stream_context_create())

1 files changed, 4 insertions, 2 deletions

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 5207657ef2..9af01f5b89 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -471,6 +471,7 @@ static zend_bool matches_common_name(X509 *peer, const char *subject_name) /* {{
 static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stream) /* {{{ */
 {
 	zval *val = NULL;
+	zval *peer_fingerprint;
 	char *peer_name = NULL;
 	int err,
 		must_verify_peer,
@@ -488,6 +489,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 		: sslsock->is_client;
 
 	must_verify_fingerprint = GET_VER_OPT("peer_fingerprint");
+	peer_fingerprint = val;
 
 	if ((must_verify_peer || must_verify_peer_name || must_verify_fingerprint) && peer == NULL) {
 		php_error_docref(NULL, E_WARNING, "Could not get peer certificate");
@@ -519,8 +521,8 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 
 	/* If a peer_fingerprint match is required this trumps peer and peer_name verification */
 	if (must_verify_fingerprint) {
-		if (Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_ARRAY) {
-			if (!php_x509_fingerprint_match(peer, val)) {
+		if (Z_TYPE_P(peer_fingerprint) == IS_STRING || Z_TYPE_P(peer_fingerprint) == IS_ARRAY) {
+			if (!php_x509_fingerprint_match(peer, peer_fingerprint)) {
 				php_error_docref(NULL, E_WARNING,
 					"peer_fingerprint match failure"
 				);