Implemented FR #53447 (Cannot disable SessionTicket extension for servers that

do not support it).

I haven't written a test due to the need for such a test to have a HTTPS server
available which mishandles SessionTicket requests; it's likely that server
administrators will gradually fix this either intentionally or through OpenSSL
upgrades. That said, if there's a great clamoring for a test, I'll work one up.

diff --git a/NEWS b/NEWS
index ca5e34810f69302371849fb90dbe49af484dd348..c834513b0b68a5eef9658052d9358c12a01ac50a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -152,6 +152,8 @@ PHP                                                                        NEWS
 
 - Improved OpenSSL extension:
   . Added AES support. FR #48632. (yonas dot y at gmail dot com, Pierre)
+  . Added a "no_ticket" SSL context option to disable the SessionTicket TLS
+    extension. FR #53447. (Adam)
 
 - Improved PDO DB-LIB: (Stanley)
   . Added nextRowset support.

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 9b7c9d45f1b8568c3c748cf15c9f04cd3f02b273..93ccf2826c5ece8ba49f58ad06aeb222c7e1ec8a 100644 (file)
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -369,6 +369,18 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
 
        SSL_CTX_set_options(sslsock->ctx, SSL_OP_ALL);
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL
+       {
+               zval **val;
+
+               if (SUCCESS == php_stream_context_get_option(
+                                       stream->context, "ssl", "no_ticket", &val) && 
+                               zval_is_true(*val)) {
+                       SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_TICKET);
+               }
+       }
+#endif
+
        sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC);
        if (sslsock->ssl_handle == NULL) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle");