Dropped CN_match and SNI_server_name context options

diff --git a/NEWS b/NEWS
index dcf86de5b393c19895e0a58352d44aa6e4d5819c..3169cb546f79022fbf735d2cc579dc114f476d59 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -147,6 +147,8 @@
     streams to negotiate alternative protocols using the ALPN TLS extension when
     built against OpenSSL 1.0.2 or newer. Negotiated protocol information is
     accessible through stream_get_meta_data() output.
+  . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
+    detection or the "peer_name" option instead. (Nikita)
 
 - pcntl:
   . Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler

diff --git a/UPGRADING b/UPGRADING
index d0551b6e579b008e9088643a0bee9d1c1ef07074..c85d18e32fe00ae6ed4f794c5a5f4591d4539dfe 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -482,6 +482,8 @@ Other
 - OpenSSL:
   . Removed the "rsa_key_size" SSL context option in favor of automatically
     setting the appropriate size given the negotiated crypto algorithm.
+  . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
+    detection or the "peer_name" option instead.
 
 - PCRE:
   . Removed support for /e (PREG_REPLACE_EVAL) modifier. Use

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 2fbc615dd27f55469cfd9dadd9da666866ef859c..1d340af8cb6bed1e2dd50b991cb038968f31594b 100644 (file)
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -484,8 +484,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
        int err,
                must_verify_peer,
                must_verify_peer_name,
-               must_verify_fingerprint,
-               has_cnmatch_ctx_opt;
+               must_verify_fingerprint;
 
        php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
 
@@ -493,8 +492,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
                ? zend_is_true(val)
                : sslsock->is_client;
 
-       has_cnmatch_ctx_opt = GET_VER_OPT("CN_match");
-       must_verify_peer_name = (has_cnmatch_ctx_opt || GET_VER_OPT("verify_peer_name"))
+       must_verify_peer_name = GET_VER_OPT("verify_peer_name")
                ? zend_is_true(val)
                : sslsock->is_client;
 
@@ -549,12 +547,6 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
        if (must_verify_peer_name) {
                GET_VER_OPT_STRING("peer_name", peer_name);
 
-               if (has_cnmatch_ctx_opt) {
-                       GET_VER_OPT_STRING("CN_match", peer_name);
-                       php_error(E_DEPRECATED,
-                               "the 'CN_match' SSL context option is deprecated in favor of 'peer_name'"
-                       );
-               }
                /* If no peer name was specified we use the autodetected url name in client environments */
                if (peer_name == NULL && sslsock->is_client) {
                        peer_name = sslsock->url_name;
@@ -1429,11 +1421,6 @@ static void enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *
 
        GET_VER_OPT_STRING("peer_name", sni_server_name);
 
-       if (GET_VER_OPT("SNI_server_name")) {
-               GET_VER_OPT_STRING("SNI_server_name", sni_server_name);
-               php_error(E_DEPRECATED, "SNI_server_name is deprecated in favor of peer_name");
-       }
-
        if (sni_server_name) {
                SSL_set_tlsext_host_name(sslsock->ssl_handle, sni_server_name);
        }