From 2a87a42cd431ea8008ce24db6e57948052ff805d Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Fri, 24 Apr 2015 18:18:18 +0200
Subject: [PATCH] Dropped CN_match and SNI_server_name context options

---
 NEWS                 |  2 ++
 UPGRADING            |  2 ++
 ext/openssl/xp_ssl.c | 17 ++---------------
 3 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/NEWS b/NEWS
index dcf86de5b3..3169cb546f 100644
--- a/NEWS
+++ b/NEWS
@@ -147,6 +147,8 @@
     streams to negotiate alternative protocols using the ALPN TLS extension when
     built against OpenSSL 1.0.2 or newer. Negotiated protocol information is
     accessible through stream_get_meta_data() output.
+  . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
+    detection or the "peer_name" option instead. (Nikita)
 
 - pcntl:
   . Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler
diff --git a/UPGRADING b/UPGRADING
index d0551b6e57..c85d18e32f 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -482,6 +482,8 @@ Other
 - OpenSSL:
   . Removed the "rsa_key_size" SSL context option in favor of automatically
     setting the appropriate size given the negotiated crypto algorithm.
+  . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
+    detection or the "peer_name" option instead.
 
 - PCRE:
   . Removed support for /e (PREG_REPLACE_EVAL) modifier. Use
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 2fbc615dd2..1d340af8cb 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -484,8 +484,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 	int err,
 		must_verify_peer,
 		must_verify_peer_name,
-		must_verify_fingerprint,
-		has_cnmatch_ctx_opt;
+		must_verify_fingerprint;
 
 	php_openssl_netstream_data_t *sslsock = (php_openssl_netstream_data_t*)stream->abstract;
 
@@ -493,8 +492,7 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 		? zend_is_true(val)
 		: sslsock->is_client;
 
-	has_cnmatch_ctx_opt = GET_VER_OPT("CN_match");
-	must_verify_peer_name = (has_cnmatch_ctx_opt || GET_VER_OPT("verify_peer_name"))
+	must_verify_peer_name = GET_VER_OPT("verify_peer_name")
 		? zend_is_true(val)
 		: sslsock->is_client;
 
@@ -549,12 +547,6 @@ static int apply_peer_verification_policy(SSL *ssl, X509 *peer, php_stream *stre
 	if (must_verify_peer_name) {
 		GET_VER_OPT_STRING("peer_name", peer_name);
 
-		if (has_cnmatch_ctx_opt) {
-			GET_VER_OPT_STRING("CN_match", peer_name);
-			php_error(E_DEPRECATED,
-				"the 'CN_match' SSL context option is deprecated in favor of 'peer_name'"
-			);
-		}
 		/* If no peer name was specified we use the autodetected url name in client environments */
 		if (peer_name == NULL && sslsock->is_client) {
 			peer_name = sslsock->url_name;
@@ -1429,11 +1421,6 @@ static void enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *
 
 	GET_VER_OPT_STRING("peer_name", sni_server_name);
 
-	if (GET_VER_OPT("SNI_server_name")) {
-		GET_VER_OPT_STRING("SNI_server_name", sni_server_name);
-		php_error(E_DEPRECATED, "SNI_server_name is deprecated in favor of peer_name");
-	}
-
 	if (sni_server_name) {
 		SSL_set_tlsext_host_name(sslsock->ssl_handle, sni_server_name);
 	}
-- 
2.50.1