From afd31489d0d9999f701467e99ef2b40794eed196 Mon Sep 17 00:00:00 2001
From: Andrey Hristov <andrey@php.net>
Date: Thu, 22 Oct 2015 11:48:53 +0200
Subject: [PATCH] Improve fix for Bug #68344 MySQLi does not provide way to
 disable peer certificate validation

---
 ext/mysqli/mysqli.c                    | 3 +++
 ext/mysqli/tests/mysqli_constants.phpt | 3 +++
 ext/mysqlnd/mysqlnd_net.c              | 9 ++-------
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
index e028d60ab0..198ed83116 100644
--- a/ext/mysqli/mysqli.c
+++ b/ext/mysqli/mysqli.c
@@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
+#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
+	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#endif
 #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
index dd0f769e91..1cb31cc2a7 100644
--- a/ext/mysqli/tests/mysqli_constants.phpt
+++ b/ext/mysqli/tests/mysqli_constants.phpt
@@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
 		$expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
 	}
 
+	if ($version >= 50033 || $IS_MYSQLND) {
+		$expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
+	}
 
 	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
 	if ($version >= 50606 || $IS_MYSQLND) {
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 4cbe9deb29..7b164ac294 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
 		php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
 	}
-	if (net->data->options.ssl_verify_peer) {
-		zval verify_peer_zval;
-		ZVAL_TRUE(&verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
-	} else {
+	{
 		zval verify_peer_zval;
-		ZVAL_FALSE(&verify_peer_zval);
+		ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
 		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
 		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
-- 
2.40.0