From f7813a6826e073e65a6fe7b667c199aa1e660e47 Mon Sep 17 00:00:00 2001 From: Niklas Keller Date: Wed, 20 Sep 2017 09:13:26 +0200 Subject: [PATCH] Remove insecure SSLv3 fallback, use TLS 1.2 if possible STREAM_CRYPTO_METHOD_TLS_CLIENT is only TLS 1.0 except for PHP 5.6.0-5.6.6 and 7.2.0+. --- inc/HTTPClient.php | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/inc/HTTPClient.php b/inc/HTTPClient.php index e8689bb4d6..f436e60495 100644 --- a/inc/HTTPClient.php +++ b/inc/HTTPClient.php @@ -604,18 +604,16 @@ function _ssltunnel(&$socket, &$requesturl){ // set correct peer name for verification (enabled since PHP 5.6) stream_context_set_option($socket, 'ssl', 'peer_name', $requestinfo['host']); - // because SSLv3 is mostly broken, we try TLS connections here first. - // according to https://github.com/splitbrain/dokuwiki/commit/c05ef534 we had problems with certain - // setups with this solution before, but we have no usable test for that and TLS should be the more - // common crypto by now - if (@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) { - $requesturl = $requestinfo['path']. - (!empty($requestinfo['query'])?'?'.$requestinfo['query']:''); - return true; + // SSLv3 is broken, use only TLS connections. + // @link https://bugs.php.net/69195 + if (PHP_VERSION_ID >= 50600 && PHP_VERSION_ID <= 50606) { + $cryptoMethod = STREAM_CRYPTO_METHOD_TLS_CLIENT; + } else { + // actually means neither SSLv2 nor SSLv3 + $cryptoMethod = STREAM_CRYPTO_METHOD_SSLv23_CLIENT; } - // if the above failed, this will most probably not work either, but we can try - if (@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_SSLv3_CLIENT)) { + if (@stream_socket_enable_crypto($socket, true, $cryptoMethod)) { $requesturl = $requestinfo['path']. (!empty($requestinfo['query'])?'?'.$requestinfo['query']:''); return true;