Skip to content

Commit 6eff701

Browse files
bukkabukka
committed
Enable TLS 1.3 by default
1 parent d7d7d7b commit 6eff701

File tree

3 files changed

+74
-7
lines changed

3 files changed

+74
-7
lines changed

ext/openssl/tests/tls_wrapper.phpt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ tls stream wrapper
44
<?php
55
if (!extension_loaded("openssl")) die("skip openssl not loaded");
66
if (!function_exists("proc_open")) die("skip no proc_open");
7+
if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
78
?>
89
--FILE--
910
<?php

ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
--TEST--
2+
tls stream wrapper when TLS 1.3 available
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded("openssl")) die("skip openssl not loaded");
6+
if (!function_exists("proc_open")) die("skip no proc_open");
7+
if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
8+
?>
9+
--FILE--
10+
<?php
11+
$serverCode = <<<'CODE'
12+
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
13+
$ctx = stream_context_create(['ssl' => [
14+
'local_cert' => __DIR__ . '/streams_crypto_method.pem',
15+
]]);
16+
17+
$server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
18+
phpt_notify();
19+
20+
for ($i = 0; $i < (phpt_has_sslv3() ? 7 : 6); $i++) {
21+
@stream_socket_accept($server, 3);
22+
}
23+
CODE;
24+
25+
$clientCode = <<<'CODE'
26+
$flags = STREAM_CLIENT_CONNECT;
27+
$ctx = stream_context_create(['ssl' => [
28+
'verify_peer' => false,
29+
'verify_peer_name' => false,
30+
]]);
31+
32+
phpt_wait();
33+
34+
$client = stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
35+
var_dump($client);
36+
37+
$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
38+
var_dump($client);
39+
40+
$client = @stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
41+
var_dump($client);
42+
43+
$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
44+
var_dump($client);
45+
46+
$client = @stream_socket_client("tlsv1.3://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
47+
var_dump($client);
48+
49+
$client = @stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
50+
var_dump($client);
51+
52+
$client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 3, $flags, $ctx);
53+
var_dump($client);
54+
CODE;
55+
56+
include 'ServerClientTestCase.inc';
57+
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
58+
?>
59+
--EXPECTF--
60+
resource(%d) of type (stream)
61+
bool(false)
62+
resource(%d) of type (stream)
63+
resource(%d) of type (stream)
64+
resource(%d) of type (stream)
65+
resource(%d) of type (stream)
66+
resource(%d) of type (stream)

main/streams/php_stream_transport.h

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -173,21 +173,21 @@ typedef enum {
173173
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT = (1 << 5 | 1),
174174
STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT = (1 << 6 | 1),
175175
/* TLS equates to TLS_ANY as of PHP 7.2 */
176-
STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
177-
STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
178-
STREAM_CRYPTO_METHOD_ANY_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | 1),
176+
STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | (1 << 6) | 1),
177+
STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | (1 << 6) | 1),
178+
STREAM_CRYPTO_METHOD_ANY_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | (1 << 6) | 1),
179179
STREAM_CRYPTO_METHOD_SSLv2_SERVER = (1 << 1),
180180
STREAM_CRYPTO_METHOD_SSLv3_SERVER = (1 << 2),
181181
/* v23 no longer negotiates SSL2 or SSL3 */
182-
STREAM_CRYPTO_METHOD_SSLv23_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
182+
STREAM_CRYPTO_METHOD_SSLv23_SERVER = ((1 << 3) | (1 << 4) | (1 << 5) | (1 << 6)),
183183
STREAM_CRYPTO_METHOD_TLSv1_0_SERVER = (1 << 3),
184184
STREAM_CRYPTO_METHOD_TLSv1_1_SERVER = (1 << 4),
185185
STREAM_CRYPTO_METHOD_TLSv1_2_SERVER = (1 << 5),
186186
STREAM_CRYPTO_METHOD_TLSv1_3_SERVER = (1 << 6),
187187
/* TLS equates to TLS_ANY as of PHP 7.2 */
188-
STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
189-
STREAM_CRYPTO_METHOD_TLS_ANY_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
190-
STREAM_CRYPTO_METHOD_ANY_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5))
188+
STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5) | (1 << 6)),
189+
STREAM_CRYPTO_METHOD_TLS_ANY_SERVER = ((1 << 3) | (1 << 4) | (1 << 5) | (1 << 6)),
190+
STREAM_CRYPTO_METHOD_ANY_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | (1 << 6))
191191
} php_stream_xport_crypt_method_t;
192192

193193
/* These functions provide crypto support on the underlying transport */

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy