Fixed bug #78775

Clear the OpenSSL error queue before performing SSL stream operations.
As we don't control all code that could possibly be using OpenSSL,
we can't rely on the error queue being empty.

diff --git a/NEWS b/NEWS
index b56409b4afa2ccbcc9f1e10657c9568a4a2c98d2..9f7bb04eebc670b8417183f1edd84665d94d6623 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,10 @@ PHP                                                                        NEWS
     non-ascii characters). (mhagstrand)
   . Fixed bug #78747 (OpCache corrupts custom extension result). (Nikita)
 
+- OpenSSL:
+  . Fixed bug #78775 (TLS issues from HTTP request affecting other encrypted
+    connections). (Nikita)
+
 - Reflection:
   . Fixed bug #78697 (ReflectionClass::ImplementsInterface - inaccurate error 
     message with traits). (villfa)

diff --git a/ext/curl/tests/bug78775.phpt b/ext/curl/tests/bug78775.phpt
new file mode 100644 (file)
index 0000000..490c168
--- /dev/null
+++ b/ext/curl/tests/bug78775.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #78775: TLS issues from HTTP request affecting other encrypted connections
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) die('skip Requires curl');
+if (getenv('SKIP_ONLINE_TESTS')) die('skip Online test');
+?>
+--FILE--
+<?php
+
+$sock = fsockopen("tls://google.com", 443);
+
+var_dump($sock);
+
+$handle = curl_init('https://self-signed.badssl.com/');
+curl_setopt_array(
+    $handle,
+    [
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_SSL_VERIFYPEER => true,
+    ]
+);
+
+var_dump(curl_exec($handle));
+curl_close($handle);
+
+fwrite($sock, "GET / HTTP/1.0\n\n");
+var_dump(fread($sock, 8));
+
+?>
+--EXPECTF--
+resource(%d) of type (stream)
+bool(false)
+string(8) "HTTP/1.0"

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 3df1a1889a294b7cad587631b098f89d4f27731a..36939de8fe1aa4d18dbd1288736439df9eb617d7 100644 (file)
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1873,6 +1873,7 @@ static int php_openssl_enable_crypto(php_stream *stream,
                do {
                        struct timeval cur_time, elapsed_time;
 
+                       ERR_clear_error();
                        if (sslsock->is_client) {
                                n = SSL_connect(sslsock->ssl_handle);
                        } else {
@@ -2045,6 +2046,7 @@ static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, siz
                        }
 
                        /* Now, do the IO operation. Don't block if we can't complete... */
+                       ERR_clear_error();
                        if (read) {
                                nr_bytes = SSL_read(sslsock->ssl_handle, buf, (int)count);