scottmac Fri, 20 Jan 2012 05:31:53 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=322485
Log: Fix CVE-2011-3389. Possible attack on CBC mode with TLS 1.0. See http://www.openssl.org/~bodo/tls-cbc.txt The biggest reason for this mode being in SSL_OP_ALL was older versions of IE (2002) talking to servers using OpenSSL. Can hopefully get this into 5.4. Changed paths: U php/php-src/trunk/ext/ftp/ftp.c U php/php-src/trunk/ext/openssl/xp_ssl.c Modified: php/php-src/trunk/ext/ftp/ftp.c =================================================================== --- php/php-src/trunk/ext/ftp/ftp.c 2012-01-20 05:16:03 UTC (rev 322484) +++ php/php-src/trunk/ext/ftp/ftp.c 2012-01-20 05:31:53 UTC (rev 322485) @@ -243,6 +243,7 @@ { #if HAVE_OPENSSL_EXT SSL_CTX *ctx = NULL; + long ssl_ctx_options = SSL_OP_ALL; #endif if (ftp == NULL) { return 0; @@ -279,7 +280,10 @@ return 0; } - SSL_CTX_set_options(ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090605fL + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + SSL_CTX_set_options(ctx, ssl_ctx_options); ftp->ssl_handle = SSL_new(ctx); if (ftp->ssl_handle == NULL) { @@ -1495,6 +1499,7 @@ #if HAVE_OPENSSL_EXT SSL_CTX *ctx; + long ssl_ctx_options = SSL_OP_ALL; #endif if (data->fd != -1) { @@ -1521,7 +1526,10 @@ return 0; } - SSL_CTX_set_options(ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090605fL + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + SSL_CTX_set_options(ctx, ssl_ctx_options); data->ssl_handle = SSL_new(ctx); if (data->ssl_handle == NULL) { Modified: php/php-src/trunk/ext/openssl/xp_ssl.c =================================================================== --- php/php-src/trunk/ext/openssl/xp_ssl.c 2012-01-20 05:16:03 UTC (rev 322484) +++ php/php-src/trunk/ext/openssl/xp_ssl.c 2012-01-20 05:31:53 UTC (rev 322485) @@ -310,6 +310,7 @@ TSRMLS_DC) { SSL_METHOD *method; + long ssl_ctx_options = SSL_OP_ALL; if (sslsock->ssl_handle) { if (sslsock->s.is_blocked) { @@ -377,7 +378,10 @@ return -1; } - SSL_CTX_set_options(sslsock->ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090605fL + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options); #if OPENSSL_VERSION_NUMBER >= 0x0090806fL {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php