Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* PHP-5.6: Improve OpenSSL compile flag compatibility, minor updates Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests Improve server forward secrecy, refactor client SNI Add 'honor_cipher_order' server context option Add 'capture_session_meta' context option Disable TLS compression by default in both clients and servers Release ssl buffers Add openssl_get_cert_locations() function Explicitly set cert verify depth if not specified Strengthen default cipher list
- Loading branch information
Showing
15 changed files
with
920 additions
and
191 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,73 @@ | |||
--TEST-- | |||
Capture SSL session meta array in stream context | |||
--SKIPIF-- | |||
<?php | |||
if (!extension_loaded("openssl")) die("skip"); | |||
if (!function_exists('pcntl_fork')) die("skip no fork"); | |||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required"); | |||
--FILE-- | |||
<?php | |||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | |||
$ctx = stream_context_create(['ssl' => [ | |||
'local_cert' => __DIR__ . '/bug54992.pem', | |||
'allow_self_signed' => true | |||
]]); | |||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | |||
|
|||
$pid = pcntl_fork(); | |||
if ($pid == -1) { | |||
die('could not fork'); | |||
} else if ($pid) { | |||
|
|||
// Base SSL context values | |||
$sslCtxVars = array( | |||
'verify_peer' => TRUE, | |||
'cafile' => __DIR__ . '/bug54992-ca.pem', | |||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | |||
'capture_session_meta' => TRUE | |||
); | |||
|
|||
// SSLv3 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx); | |||
$meta = stream_context_get_options($ctx)['ssl']['session_meta']; | |||
var_dump($meta['protocol']); | |||
|
|||
// TLSv1 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx); | |||
$meta = stream_context_get_options($ctx)['ssl']['session_meta']; | |||
var_dump($meta['protocol']); | |||
|
|||
// TLSv1.1 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx); | |||
$meta = stream_context_get_options($ctx)['ssl']['session_meta']; | |||
var_dump($meta['protocol']); | |||
|
|||
// TLSv1.2 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx); | |||
$meta = stream_context_get_options($ctx)['ssl']['session_meta']; | |||
var_dump($meta['protocol']); | |||
|
|||
} else { | |||
@pcntl_wait($status); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
} | |||
--EXPECTF-- | |||
string(5) "SSLv3" | |||
string(5) "TLSv1" | |||
string(7) "TLSv1.1" | |||
string(7) "TLSv1.2" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,58 @@ | |||
--TEST-- | |||
Basic bitwise stream crypto context flag assignment | |||
--SKIPIF-- | |||
<?php | |||
if (!extension_loaded("openssl")) die("skip"); | |||
if (!function_exists('pcntl_fork')) die("skip no fork"); | |||
--FILE-- | |||
<?php | |||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | |||
$ctx = stream_context_create(['ssl' => [ | |||
'local_cert' => __DIR__ . '/bug54992.pem', | |||
'allow_self_signed' => true | |||
]]); | |||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | |||
var_dump($server); | |||
|
|||
$pid = pcntl_fork(); | |||
if ($pid == -1) { | |||
die('could not fork'); | |||
} else if ($pid) { | |||
|
|||
// Base SSL context values | |||
$sslCtxVars = array( | |||
'verify_peer' => TRUE, | |||
'cafile' => __DIR__ . '/bug54992-ca.pem', | |||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | |||
); | |||
|
|||
// SSLv3 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLSv1 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLS (any) | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
} else { | |||
@pcntl_wait($status); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
} | |||
--EXPECTF-- | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,67 @@ | |||
--TEST-- | |||
TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment | |||
--SKIPIF-- | |||
<?php | |||
if (!extension_loaded("openssl")) die("skip"); | |||
if (!function_exists('pcntl_fork')) die("skip no fork"); | |||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required"); | |||
--FILE-- | |||
<?php | |||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | |||
$ctx = stream_context_create(['ssl' => [ | |||
'local_cert' => __DIR__ . '/bug54992.pem', | |||
'allow_self_signed' => true | |||
]]); | |||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | |||
var_dump($server); | |||
|
|||
$pid = pcntl_fork(); | |||
if ($pid == -1) { | |||
die('could not fork'); | |||
} else if ($pid) { | |||
|
|||
// Base SSL context values | |||
$sslCtxVars = array( | |||
'verify_peer' => TRUE, | |||
'cafile' => __DIR__ . '/bug54992-ca.pem', | |||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | |||
); | |||
|
|||
// TLSv1 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLSv1.1 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLSv1.2 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLS (any) | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
} else { | |||
@pcntl_wait($status); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
} | |||
--EXPECTF-- | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,68 @@ | |||
--TEST-- | |||
Server bitwise stream crypto flag assignment | |||
--SKIPIF-- | |||
<?php | |||
if (!extension_loaded("openssl")) die("skip"); | |||
if (!function_exists('pcntl_fork')) die("skip no fork"); | |||
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required"); | |||
--FILE-- | |||
<?php | |||
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | |||
$ctx = stream_context_create(['ssl' => [ | |||
'local_cert' => __DIR__ . '/bug54992.pem', | |||
'allow_self_signed' => true, | |||
|
|||
// Only accept SSLv3 and TLSv1.2 connections | |||
'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER | |||
]]); | |||
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); | |||
var_dump($server); | |||
|
|||
$pid = pcntl_fork(); | |||
if ($pid == -1) { | |||
die('could not fork'); | |||
} else if ($pid) { | |||
|
|||
// Base SSL context values | |||
$sslCtxVars = array( | |||
'verify_peer' => TRUE, | |||
'cafile' => __DIR__ . '/bug54992-ca.pem', | |||
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file | |||
); | |||
|
|||
// TLSv1.2 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// SSLv3 | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLSv1 (should fail) | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
// TLSv1.1 (should fail) | |||
$ctxCopy = $sslCtxVars; | |||
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; | |||
$ctx = stream_context_create(array('ssl' => $ctxCopy)); | |||
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx)); | |||
|
|||
} else { | |||
@pcntl_wait($status); | |||
@stream_socket_accept($server, 1); | |||
@stream_socket_accept($server, 1); | |||
} | |||
--EXPECTF-- | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
resource(%d) of type (stream) | |||
bool(false) | |||
bool(false) | |||
|
Oops, something went wrong.