Bug #67609: TLS connections fail behind HTTP proxy

author Daniel Lowrey <rdlowrey@php.net>

Sat, 12 Jul 2014 14:49:42 +0000 (10:49 -0400)

committer Daniel Lowrey <rdlowrey@php.net>

Sat, 12 Jul 2014 14:51:44 +0000 (10:51 -0400)
author Daniel Lowrey <rdlowrey@php.net>
Sat, 12 Jul 2014 14:49:42 +0000 (10:49 -0400)
committer Daniel Lowrey <rdlowrey@php.net>
Sat, 12 Jul 2014 14:51:44 +0000 (10:51 -0400)
diff --git a/NEWS b/NEWS

index 8b1f520c8123e52ed192098727fe4bb69ab0643e..52aed3f13a072b9a1035632215ac0c1bd963facc 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,9 @@ PHP                                                                        NEWS
  - pgsql:
    . Fixed bug #67555 (Cannot build against libpq 7.3). (Adam)
  
+- OpenSSL:
+  . Fixed bug #67609 (TLS connections fail behind HTTP proxy). (Daniel Lowrey)
+
  - Phar:
    . Fixed bug #67587 (Redirection loop on nginx with FPM). (Christian Weiske)
  
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c

index 1b8d505a4b863dda7613457b59f8494da6850eb1..87d0bd64e39b4c328b73a8c3faf3eb14160d739e 100644 (file)
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -120,7 +120,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
         char *scratch = NULL;
         char *tmp = NULL;
         char *ua_str = NULL;
-       zval **ua_zval = NULL, **tmpzval = NULL;
+       zval **ua_zval = NULL, **tmpzval = NULL, *ssl_proxy_peer_name = NULL;
         int scratch_len = 0;
         int body = 0;
         char location[HTTP_HEADER_BLOCK_SIZE];
@@ -224,6 +224,13 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
         efree(transport_string);
  
         if (stream && use_proxy && use_ssl) {
+               /* Set peer_name or name verification will try to use the proxy server name */
+               if (!context || php_stream_context_get_option(context, "ssl", "peer_name", &tmpzval) == FAILURE) {
+                       MAKE_STD_ZVAL(ssl_proxy_peer_name);
+                       ZVAL_STRING(ssl_proxy_peer_name, resource->host, 1);
+                       php_stream_context_set_option(stream->context, "ssl", "peer_name", ssl_proxy_peer_name);
+               }
+
                 smart_str header = {0};
  
                 smart_str_appendl(&header, "CONNECT ", sizeof("CONNECT ")-1);
@@ -316,7 +323,7 @@ finish:
  
                 /* enable SSL transport layer */
                 if (stream) {
-                       if (php_stream_xport_crypto_setup(stream, STREAM_CRYPTO_METHOD_SSLv23_CLIENT, NULL TSRMLS_CC) < 0 ||
+                       if (php_stream_xport_crypto_setup(stream, STREAM_CRYPTO_METHOD_ANY_CLIENT, NULL TSRMLS_CC) < 0 ||
                             php_stream_xport_crypto_enable(stream, 1 TSRMLS_CC) < 0) {
                                 php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Cannot connect to HTTPS server through proxy");
                                 php_stream_close(stream);
author	Daniel Lowrey <rdlowrey@php.net>
	Sat, 12 Jul 2014 14:49:42 +0000 (10:49 -0400)
committer	Daniel Lowrey <rdlowrey@php.net>
	Sat, 12 Jul 2014 14:51:44 +0000 (10:51 -0400)
NEWS		patch \| blob \| history
ext/standard/http_fopen_wrapper.c		patch \| blob \| history