wez Wed Apr 21 19:02:04 2004 EDT
Modified files:
/php-src/ext/openssl openssl.c xp_ssl.c
Log:
Fix bug #28096 - stream_socket_accept() on an SSL server socket doesn't
enable SSL on the accepted socket.
- Add cipher list context option
- Add helpful hint about why SSL server socket fails with mysterious
error (eg: you need an SSL certificate for most ciphers).
http://cvs.php.net/diff.php/php-src/ext/openssl/openssl.c?r1=1.88&r2=1.89&ty=u
Index: php-src/ext/openssl/openssl.c
diff -u php-src/ext/openssl/openssl.c:1.88 php-src/ext/openssl/openssl.c:1.89
--- php-src/ext/openssl/openssl.c:1.88 Mon Mar 29 14:57:48 2004
+++ php-src/ext/openssl/openssl.c Wed Apr 21 19:02:04 2004
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: openssl.c,v 1.88 2004/03/29 19:57:48 iliaa Exp $ */
+/* $Id: openssl.c,v 1.89 2004/04/21 23:02:04 wez Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -3206,6 +3206,7 @@
char *cafile = NULL;
char *capath = NULL;
char *certfile = NULL;
+ char *cipherlist = NULL;
int ok = 1;
@@ -3240,6 +3241,12 @@
SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
}
+ GET_VER_OPT_STRING("ciphers", cipherlist);
+ if (!cipherlist) {
+ cipherlist = "DEFAULT";
+ }
+ SSL_CTX_set_cipher_list(ctx, cipherlist);
+
GET_VER_OPT_STRING("local_cert", certfile);
if (certfile) {
X509 *cert = NULL;
http://cvs.php.net/diff.php/php-src/ext/openssl/xp_ssl.c?r1=1.14&r2=1.15&ty=u
Index: php-src/ext/openssl/xp_ssl.c
diff -u php-src/ext/openssl/xp_ssl.c:1.14 php-src/ext/openssl/xp_ssl.c:1.15
--- php-src/ext/openssl/xp_ssl.c:1.14 Thu Jan 8 03:16:39 2004
+++ php-src/ext/openssl/xp_ssl.c Wed Apr 21 19:02:04 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: xp_ssl.c,v 1.14 2004/01/08 08:16:39 andi Exp $ */
+/* $Id: xp_ssl.c,v 1.15 2004/04/21 23:02:04 wez Exp $ */
#include "php.h"
#include "ext/standard/file.h"
@@ -53,7 +53,7 @@
char esbuf[512];
char *ebuf = NULL, *wptr = NULL;
size_t ebuf_size = 0;
- unsigned long code;
+ unsigned long code, ecode;
int retry = 1;
switch(err) {
@@ -84,37 +84,49 @@
}
break;
}
+
+
/* fall through */
default:
/* some other error */
- while ((code = ERR_get_error()) != 0) {
- /* allow room for a NUL and an optional \n */
- if (ebuf) {
- esbuf[0] = '\n';
- esbuf[1] = '\0';
- ERR_error_string_n(code, esbuf + 1,
sizeof(esbuf) - 2);
- } else {
- esbuf[0] = '\0';
- ERR_error_string_n(code, esbuf, sizeof(esbuf)
- 1);
- }
- code = strlen(esbuf);
- esbuf[code] = '\0';
+ ecode = ERR_get_error();
+
+ switch (ERR_GET_REASON(ecode)) {
+ case SSL_R_NO_SHARED_CIPHER:
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
"SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used. This could be
because the server is missing an SSL certificate (local_cert context option)");
+ retry = 0;
+ break;
- ebuf = erealloc(ebuf, ebuf_size + code + 1);
- if (wptr == NULL) {
- wptr = ebuf;
- }
-
- /* also copies the NUL */
- memcpy(wptr, esbuf, code + 1);
- wptr += code;
- }
-
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
- "SSL operation failed with code %d.%s%s",
- err,
- ebuf ? "OpenSSL Error messages:\n" : "",
- ebuf ? ebuf : "");
+ default:
+ do {
+ /* allow room for a NUL and an
optional \n */
+ if (ebuf) {
+ esbuf[0] = '\n';
+ esbuf[1] = '\0';
+ ERR_error_string_n(ecode,
esbuf + 1, sizeof(esbuf) - 2);
+ } else {
+ esbuf[0] = '\0';
+ ERR_error_string_n(ecode,
esbuf, sizeof(esbuf) - 1);
+ }
+ code = strlen(esbuf);
+ esbuf[code] = '\0';
+
+ ebuf = erealloc(ebuf, ebuf_size + code
+ 1);
+ if (wptr == NULL) {
+ wptr = ebuf;
+ }
+
+ /* also copies the NUL */
+ memcpy(wptr, esbuf, code + 1);
+ wptr += code;
+ } while ((ecode = ERR_get_error()) != 0);
+
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
+ "SSL operation failed with
code %d. %s%s",
+ err,
+ ebuf ? "OpenSSL Error
messages:\n" : "",
+ ebuf ? ebuf : "");
+ }
retry = 0;
}
@@ -424,6 +436,36 @@
xparam->outputs.client->context = stream->context;
}
}
+
+ if (xparam->outputs.client && sock->enable_on_connect) {
+ /* apply crypto */
+ switch (sock->method) {
+ case STREAM_CRYPTO_METHOD_SSLv23_CLIENT:
+ sock->method =
STREAM_CRYPTO_METHOD_SSLv23_SERVER;
+ break;
+ case STREAM_CRYPTO_METHOD_SSLv2_CLIENT:
+ sock->method =
STREAM_CRYPTO_METHOD_SSLv2_SERVER;
+ break;
+ case STREAM_CRYPTO_METHOD_SSLv3_CLIENT:
+ sock->method =
STREAM_CRYPTO_METHOD_SSLv3_SERVER;
+ break;
+ case STREAM_CRYPTO_METHOD_TLS_CLIENT:
+ sock->method = STREAM_CRYPTO_METHOD_TLS_SERVER;
+ break;
+ }
+
+ clisockdata->method = sock->method;
+
+ if (php_stream_xport_crypto_setup(xparam->outputs.client,
clisockdata->method,
+ NULL TSRMLS_CC) < 0 ||
php_stream_xport_crypto_enable(
+ xparam->outputs.client, 1 TSRMLS_CC) < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to
enable crypto");
+
+ php_stream_close(xparam->outputs.client);
+ xparam->outputs.client = NULL;
+ xparam->outputs.returncode = -1;
+ }
+ }
}
return xparam->outputs.client == NULL ? -1 : 0;
@@ -524,14 +566,14 @@
}
}
return PHP_STREAM_OPTION_RETURN_OK;
- break;
case STREAM_XPORT_OP_ACCEPT:
/* we need to copy the additional fields that
the underlying tcp transport
* doesn't know about */
xparam->outputs.returncode =
php_openssl_tcp_sockop_accept(stream, sslsock, xparam STREAMS_CC TSRMLS_CC);
+
+
return PHP_STREAM_OPTION_RETURN_OK;
- break;
default:
/* fall through */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
