Dropped CN_match and SNI_server_name context options

php · Apr 24, 2015 · 2a87a42 · 2a87a42
1 parent 4694e1c
commit 2a87a42
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 15 deletions.
diff --git a/NEWS b/NEWS
@@ -147,6 +147,8 @@
     streams to negotiate alternative protocols using the ALPN TLS extension when
     built against OpenSSL 1.0.2 or newer. Negotiated protocol information is
     accessible through stream_get_meta_data() output.
+  . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
+    detection or the "peer_name" option instead. (Nikita)
 
 - pcntl:
   . Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler

diff --git a/UPGRADING b/UPGRADING
@@ -482,6 +482,8 @@ Other
 - OpenSSL:
   . Removed the "rsa_key_size" SSL context option in favor of automatically
     setting the appropriate size given the negotiated crypto algorithm.
+  . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
+    detection or the "peer_name" option instead.
 
 - PCRE:
   . Removed support for /e (PREG_REPLACE_EVAL) modifier. Use

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
@@ -484,17 +484,15 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 	int err,
 		must_verify_peer,
 		must_verify_peer_name,
-		must_verify_fingerprint,
-		has_cnmatch_ctx_opt;
+		must_verify_fingerprint;
 
 	php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
 
 	must_verify_peer = GET_VER_OPT("verify_peer")
 		? zend_is_true(val)
 		: sslsock->is_client;
 
-	has_cnmatch_ctx_opt = GET_VER_OPT("CN_match");
-	must_verify_peer_name = (has_cnmatch_ctx_opt || GET_VER_OPT("verify_peer_name"))
+	must_verify_peer_name = GET_VER_OPT("verify_peer_name")
 		? zend_is_true(val)
 		: sslsock->is_client;
 
@@ -549,12 +547,6 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 	if (must_verify_peer_name) {
 		GET_VER_OPT_STRING("peer_name", peer_name);
 
-		if (has_cnmatch_ctx_opt) {
-			GET_VER_OPT_STRING("CN_match", peer_name);
-			php_error(E_DEPRECATED,
-				"the 'CN_match' SSL context option is deprecated in favor of 'peer_name'"
-			);
-		}
 		/* If no peer name was specified we use the autodetected url name in client environments */
 		if (peer_name == NULL && sslsock->is_client) {
 			peer_name = sslsock->url_name;
@@ -1429,11 +1421,6 @@ static void enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *
 
 	GET_VER_OPT_STRING("peer_name", sni_server_name);
 
-	if (GET_VER_OPT("SNI_server_name")) {
-		GET_VER_OPT_STRING("SNI_server_name", sni_server_name);
-		php_error(E_DEPRECATED, "SNI_server_name is deprecated in favor of peer_name");
-	}
-
 	if (sni_server_name) {
 		SSL_set_tlsext_host_name(sslsock->ssl_handle, sni_server_name);
 	}