Fixed bug (#69195 Inconsistent stream crypto values across versions)

PHP 5.6.0 altered the semantics of the following constants:

- STREAM_CRYPTO_METHOD_SSLv23_CLIENT
- STREAM_CRYPTO_METHOD_SSLv23_SERVER
- STREAM_CRYPTO_METHOD_TLS_CLIENT
- STREAM_CRYPTO_METHOD_TLS_SERVER

Instead of representing the SSLv23_*() handshake methods the v23
constants were changed to allow only SSLv2 or SSLv3 connections.
Likewise, the TLS methods were modified from using only the TLSv1
handshake to allowing TLS1,1.1, and 1.2. This created a situation
in which users upgrading from previous versions faced a potential
security degradation if they did not update code to use different
constants. In the interest of compatibility across PHP versions
the original semantics have been restored with the following
caveat:

**IMPORTANT**

The SSLv23 client/server methods will no longer negotiate the use
of the insecure SSLv2 or SSLv3 protocols by default. Users wishing
to allow these protocols must explicitly add them to the method
bitmask via the appropriate flags.

diff --git a/NEWS b/NEWS
index 290e3422b998ffcf62b071d591e35504c5c9c8be..597ea3085803df7b9fa9a0a2c80d9e4c428d1458 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,8 @@
     (Daniel Lowrey)
   . Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
   . Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
+  . Fixed bug (#69195 Inconsistent stream crypto values across versions)
+    (Daniel Lowrey)
 
 - pgsql:
   . Fixed bug #68638 (pg_update() fails to store infinite values).

diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index c929d0cd2cac1190d3780be541d250585fe1e2de..eb371c43084c7999b155c8579a76bfca80670c08 100644 (file)
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -323,7 +323,7 @@ finish:
 
                /* enable SSL transport layer */
                if (stream) {
-                       if (php_stream_xport_crypto_setup(stream, STREAM_CRYPTO_METHOD_ANY_CLIENT, NULL TSRMLS_CC) < 0 ||
+                       if (php_stream_xport_crypto_setup(stream, STREAM_CRYPTO_METHOD_SSLv23_CLIENT, NULL TSRMLS_CC) < 0 ||
                            php_stream_xport_crypto_enable(stream, 1 TSRMLS_CC) < 0) {
                                php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Cannot connect to HTTPS server through proxy");
                                php_stream_close(stream);

diff --git a/main/streams/php_stream_transport.h b/main/streams/php_stream_transport.h
index 9147609822f97fb04c5473c10299cef823ede846..e5d09419de0c3e6e1bcb44c918f9172bb157892e 100644 (file)
--- a/main/streams/php_stream_transport.h
+++ b/main/streams/php_stream_transport.h
@@ -169,19 +169,25 @@ typedef struct _php_stream_xport_param {
 typedef enum {
        STREAM_CRYPTO_METHOD_SSLv2_CLIENT = (1 << 1 | 1),
        STREAM_CRYPTO_METHOD_SSLv3_CLIENT = (1 << 2 | 1),
-       STREAM_CRYPTO_METHOD_SSLv23_CLIENT = ((1 << 1) | (1 << 2) | 1),
+       /* v23 no longer negotiates SSL2 or SSL3 */
+       STREAM_CRYPTO_METHOD_SSLv23_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
        STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT = (1 << 3 | 1),
        STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT = (1 << 4 | 1),
        STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT = (1 << 5 | 1),
-       STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
+       /* tls now equates only to the specific TLSv1 method for BC with pre-5.6 */
+       STREAM_CRYPTO_METHOD_TLS_CLIENT = (1 << 3 | 1),
+       STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1),
        STREAM_CRYPTO_METHOD_ANY_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | 1),
        STREAM_CRYPTO_METHOD_SSLv2_SERVER = (1 << 1),
        STREAM_CRYPTO_METHOD_SSLv3_SERVER = (1 << 2),
-       STREAM_CRYPTO_METHOD_SSLv23_SERVER = ((1 << 1) | (1 << 2)),
+       /* v23 no longer negotiates SSL2 or SSL3 */
+       STREAM_CRYPTO_METHOD_SSLv23_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
        STREAM_CRYPTO_METHOD_TLSv1_0_SERVER = (1 << 3),
        STREAM_CRYPTO_METHOD_TLSv1_1_SERVER = (1 << 4),
        STREAM_CRYPTO_METHOD_TLSv1_2_SERVER = (1 << 5),
-       STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
+       /* tls equates only to the specific TLSv1 method for BC with pre-5.6 */
+       STREAM_CRYPTO_METHOD_TLS_SERVER = (1 << 3),
+       STREAM_CRYPTO_METHOD_TLS_ANY_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)),
        STREAM_CRYPTO_METHOD_ANY_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5))
 } php_stream_xport_crypt_method_t;