Fixed bug (#69195 Inconsistent stream crypto values across versions)

PHP 5.6.0 altered the semantics of the following constants: - STREAM_CRYPTO_METHOD_SSLv23_CLIENT - STREAM_CRYPTO_METHOD_SSLv23_SERVER - STREAM_CRYPTO_METHOD_TLS_CLIENT - STREAM_CRYPTO_METHOD_TLS_SERVER Instead of representing the SSLv23_*() handshake methods the v23 constants were changed to allow only SSLv2 or SSLv3 connections. Likewise, the TLS methods were modified from using only the TLSv1 handshake to allowing TLS1,1.1, and 1.2. This created a situation in which users upgrading from previous versions faced a potential security degradation if they did not update code to use different constants. In the interest of compatibility across PHP versions the original semantics have been restored with the following caveat: **IMPORTANT** The SSLv23 client/server methods will no longer negotiate the use of the insecure SSLv2 or SSLv3 protocols by default. Users wishing to allow these protocols must explicitly add them to the method bitmask via the appropriate flags.
php · Mar 6, 2015 · 10bc5fd · 10bc5fd
1 parent e7df9d7
commit 10bc5fd
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -57,6 +57,8 @@
     (Daniel Lowrey)
   . Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
   . Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
+  . Fixed bug (#69195 Inconsistent stream crypto values across versions)
+    (Daniel Lowrey)
 
 - pgsql:
   . Fixed bug #68638 (pg_update() fails to store infinite values).

diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
@@ -323,7 +323,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 
 		/* enable SSL transport layer */
 		if (stream) {
-			if (php_stream_xport_crypto_setup(stream, STREAM_CRYPTO_METHOD_ANY_CLIENT, NULL TSRMLS_CC) < 0 ||
+			if (php_stream_xport_crypto_setup(stream, STREAM_CRYPTO_METHOD_SSLv23_CLIENT, NULL TSRMLS_CC) < 0 ||
 			    php_stream_xport_crypto_enable(stream, 1 TSRMLS_CC) < 0) {
 				php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Cannot connect to HTTPS server through proxy");
 				php_stream_close(stream);

diff --git a/main/streams/php_stream_transport.h b/main/streams/php_stream_transport.h
@@ -169,19 +169,25 @@ typedef struct _php_stream_xport_param {
 typedef enum {
 	STREAM_CRYPTO_METHOD_SSLv2_CLIENT = (1 << 1 | 1),
 	STREAM_CRYPTO_METHOD_SSLv3_CLIENT = (1 << 2 | 1),
-	STREAM_CRYPTO_METHOD_SSLv23_CLIENT = ((1 << 1) | (1 << 2) | 1),
+	/* v23 no longer negotiates SSL2 or SSL3 */
+	STREAM_CRYPTO_METHOD_SSLv23_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
 	STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT = (1 << 3 | 1),
 	STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT = (1 << 4 | 1),
 	STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT = (1 << 5 | 1),
-	STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
+	/* tls now equates only to the specific TLSv1 method for BC with pre-5.6 */
+	STREAM_CRYPTO_METHOD_TLS_CLIENT = (1 << 3 | 1),
+	STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
 	STREAM_CRYPTO_METHOD_ANY_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | 1),
 	STREAM_CRYPTO_METHOD_SSLv2_SERVER = (1 << 1),
 	STREAM_CRYPTO_METHOD_SSLv3_SERVER = (1 << 2),
-	STREAM_CRYPTO_METHOD_SSLv23_SERVER = ((1 << 1) | (1 << 2)),
+	/* v23 no longer negotiates SSL2 or SSL3 */
+	STREAM_CRYPTO_METHOD_SSLv23_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
 	STREAM_CRYPTO_METHOD_TLSv1_0_SERVER = (1 << 3),
 	STREAM_CRYPTO_METHOD_TLSv1_1_SERVER = (1 << 4),
 	STREAM_CRYPTO_METHOD_TLSv1_2_SERVER = (1 << 5),
-	STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
+	/* tls equates only to the specific TLSv1 method for BC with pre-5.6 */
+	STREAM_CRYPTO_METHOD_TLS_SERVER = (1 << 3),
+	STREAM_CRYPTO_METHOD_TLS_ANY_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
 	STREAM_CRYPTO_METHOD_ANY_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5))
 } php_stream_xport_crypt_method_t;