From 18ec6dae2ca8bc4f33a6079d5ef93cc50259b4cc Mon Sep 17 00:00:00 2001 From: Adam Harvey Date: Fri, 3 Dec 2010 09:34:35 +0000 Subject: [PATCH] Implemented FR #53447 (Cannot disable SessionTicket extension for servers that do not support it). I haven't written a test due to the need for such a test to have a HTTPS server available which mishandles SessionTicket requests; it's likely that server administrators will gradually fix this either intentionally or through OpenSSL upgrades. That said, if there's a great clamoring for a test, I'll work one up. --- NEWS | 2 ++ ext/openssl/xp_ssl.c | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/NEWS b/NEWS index ca5e34810f..c834513b0b 100644 --- a/NEWS +++ b/NEWS @@ -152,6 +152,8 @@ PHP NEWS - Improved OpenSSL extension: . Added AES support. FR #48632. (yonas dot y at gmail dot com, Pierre) + . Added a "no_ticket" SSL context option to disable the SessionTicket TLS + extension. FR #53447. (Adam) - Improved PDO DB-LIB: (Stanley) . Added nextRowset support. diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 9b7c9d45f1..93ccf2826c 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -369,6 +369,18 @@ static inline int php_openssl_setup_crypto(php_stream *stream, SSL_CTX_set_options(sslsock->ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL + { + zval **val; + + if (SUCCESS == php_stream_context_get_option( + stream->context, "ssl", "no_ticket", &val) && + zval_is_true(*val)) { + SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_TICKET); + } + } +#endif + sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC); if (sslsock->ssl_handle == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle"); -- 2.50.1