Fix bug #68074 Allow to use system cipher list instead of hardcoded value

diff --git a/ext/openssl/config0.m4 b/ext/openssl/config0.m4
index a97114f8085f8a7471e3e0069984b468f6cb8873..701e4883854f67e5cc5c90736713bb1fb5f3c22c 100644 (file)
--- a/ext/openssl/config0.m4
+++ b/ext/openssl/config0.m4
@@ -8,6 +8,9 @@ PHP_ARG_WITH(openssl, for OpenSSL support,
 PHP_ARG_WITH(kerberos, for Kerberos support,
 [  --with-kerberos[=DIR]     OPENSSL: Include Kerberos support], no, no)
 
+PHP_ARG_WITH(system-ciphers, whether to use system default cipher list instead of hardcoded value,
+[  --with-system-ciphers   OPENSSL: Use system default cipher list instead of hardcoded value], no, no)
+
 if test "$PHP_OPENSSL" != "no"; then
   PHP_NEW_EXTENSION(openssl, openssl.c xp_ssl.c, $ext_shared)
   PHP_SUBST(OPENSSL_SHARED_LIBADD)
@@ -25,4 +28,7 @@ if test "$PHP_OPENSSL" != "no"; then
   ], [
     AC_MSG_ERROR([OpenSSL check failed. Please check config.log for more information.])
   ])
+  if test "$PHP_SYSTEM_CIPHERS" != "no"; then
+    AC_DEFINE(USE_OPENSSL_SYSTEM_CIPHERS,1,[ Use system default cipher list instead of hardcoded value ])
+  fi
 fi

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index de9e9911c1c7d0649e3ed855aeda4ea93fd74d40..2f81dc7e47bd3f6cb91109166d89df701078a978 100644 (file)
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1476,13 +1476,16 @@ int php_openssl_setup_crypto(php_stream *stream,
        }
 
        GET_VER_OPT_STRING("ciphers", cipherlist);
+#ifndef USE_OPENSSL_SYSTEM_CIPHERS
        if (!cipherlist) {
                cipherlist = OPENSSL_DEFAULT_STREAM_CIPHERS;
        }
-       if (SSL_CTX_set_cipher_list(sslsock->ctx, cipherlist) != 1) {
-               return FAILURE;
+#endif
+       if (cipherlist) {
+               if (SSL_CTX_set_cipher_list(sslsock->ctx, cipherlist) != 1) {
+                       return FAILURE;
+               }
        }
-
        if (FAILURE == set_local_cert(sslsock->ctx, stream TSRMLS_CC)) {
                return FAILURE;
        }