diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/openssl/tests/tls_wrapper.phpt | 59 | ||||
| -rw-r--r-- | ext/openssl/xp_ssl.c | 4 | ||||
| -rw-r--r-- | main/streams/php_stream_transport.h | 8 |
4 files changed, 67 insertions, 6 deletions
@@ -5,6 +5,8 @@ PHP NEWS - OpenSSL: . Fixed bug #74720 (pkcs7_en/decrypt does not work if \x1a is used in content). (Anatol) + . Use TLS_ANY for default ssl:// and tls:// negotiation. + (Niklas Keller, me at kelunik dot com) - SQLite3: . Update to Sqlite 3.19.3. (cmb) diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt new file mode 100644 index 0000000000..9135233831 --- /dev/null +++ b/ext/openssl/tests/tls_wrapper.phpt @@ -0,0 +1,59 @@ +--TEST-- +tls stream wrapper +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip openssl not loaded"); +if (!function_exists("proc_open")) die("skip no proc_open"); +--FILE-- +<?php +$serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => __DIR__ . '/streams_crypto_method.pem', + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); + phpt_notify(); + + for ($i=0; $i < 6; $i++) { + @stream_socket_accept($server, 3); + } +CODE; + +$clientCode = <<<'CODE' + $flags = STREAM_CLIENT_CONNECT; + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, + ]]); + + phpt_wait(); + + $client = stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); + + $client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx); + var_dump($client); +CODE; + +include 'ServerClientTestCase.inc'; +ServerClientTestCase::getInstance()->run($clientCode, $serverCode); +--EXPECTF-- +resource(%d) of type (stream) +bool(false) +resource(%d) of type (stream) +resource(%d) of type (stream) +resource(%d) of type (stream) +resource(%d) of type (stream) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index a2d6860ecd..66e1d598af 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -2557,7 +2557,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, if (strncmp(proto, "ssl", protolen) == 0) { sslsock->enable_on_connect = 1; - sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_ANY_CLIENT); + sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT); } else if (strncmp(proto, "sslv2", protolen) == 0) { php_error_docref(NULL, E_WARNING, "SSLv2 unavailable in this PHP version"); php_stream_close(stream); @@ -2573,7 +2573,7 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen, #endif } else if (strncmp(proto, "tls", protolen) == 0) { sslsock->enable_on_connect = 1; - sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_CLIENT); + sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT); } else if (strncmp(proto, "tlsv1.0", protolen) == 0) { sslsock->enable_on_connect = 1; sslsock->method = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; diff --git a/main/streams/php_stream_transport.h b/main/streams/php_stream_transport.h index 07598f3773..bc9845e14d 100644 --- a/main/streams/php_stream_transport.h +++ b/main/streams/php_stream_transport.h @@ -172,8 +172,8 @@ typedef enum { STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT = (1 << 3 | 1), STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT = (1 << 4 | 1), STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT = (1 << 5 | 1), - /* tls now equates only to the specific TLSv1 method for BC with pre-5.6 */ - STREAM_CRYPTO_METHOD_TLS_CLIENT = (1 << 3 | 1), + /* TLS equates to TLS_ANY as of PHP 7.2 */ + STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1), STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1), STREAM_CRYPTO_METHOD_ANY_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | 1), STREAM_CRYPTO_METHOD_SSLv2_SERVER = (1 << 1), @@ -183,8 +183,8 @@ typedef enum { STREAM_CRYPTO_METHOD_TLSv1_0_SERVER = (1 << 3), STREAM_CRYPTO_METHOD_TLSv1_1_SERVER = (1 << 4), STREAM_CRYPTO_METHOD_TLSv1_2_SERVER = (1 << 5), - /* tls equates only to the specific TLSv1 method for BC with pre-5.6 */ - STREAM_CRYPTO_METHOD_TLS_SERVER = (1 << 3), + /* TLS equates to TLS_ANY as of PHP 7.2 */ + STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)), STREAM_CRYPTO_METHOD_TLS_ANY_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)), STREAM_CRYPTO_METHOD_ANY_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5)) } php_stream_xport_crypt_method_t; |