| #
3fc013b2 |
| 09-Jun-2023 |
Jakub Zelenka |
Fix CS and checking for IPv6 SAN verify
|
| #
fd09728b |
| 28-Apr-2023 |
James Lucas |
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses ex
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses except
if they fall within addresses in the RFC 4193 range. Google and
CloudFlare provide IPv6 addresses in their DNS over HTTPS services.
Internal CAs do not have those restrictions and can issue Unique
local addresses in certificates.
Closes GH-11145
show more ...
|
| #
b09be29a |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix incorrect error checking in php_openssl_set_server_dh_param()
SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which m
Fix incorrect error checking in php_openssl_set_server_dh_param()
SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which means that errors were
never caught.
Closes GH-10705.
show more ...
|
| #
d9ff5e07 |
| 04-Aug-2022 |
Jakub Zelenka |
Fix GH-8472: stream_socket_accept result may have incorrect metadata
|
| #
7ceae661 |
| 29-Jun-2022 |
David Carlier |
streams/xp_socket: fix clang build error with enum usage on bool condition.
Fix targeted for oses defining those flags as enums (like Linux/glibc).
`error: converting the enum const
streams/xp_socket: fix clang build error with enum usage on bool condition.
Fix targeted for oses defining those flags as enums (like Linux/glibc).
`error: converting the enum constant to a boolean [-Werror,-Wint-in-bool-context]
} else if ((!sslsock->ssl_active && value == 0 && (MSG_DONTWAIT || !sslsock->s.is_blocked)) ||`
Closes #8895.
show more ...
|
|
Revision tags: php-8.1.7RC1, php-8.1.4RC1, php-8.1.3 |
|
| #
2d986310 |
| 09-Feb-2022 |
Max Kellermann |
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necess
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necessary, and we can
just call recv() right away.
Before this change:
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 0 (Timeout)
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "", 1, MSG_PEEK, NULL, NULL) = 0
After this change:
recvfrom(4, 0x7ffe0cc719a0, 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348
recvfrom(4, "", 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = 0
The first poll() is replaced by recvfrom(), and the third poll() is
omitted completely.
ext/openssl/xp_ssl: eliminate poll() when MSG_DONTWAIT is available
If there is a zero timeout and MSG_DONTWAIT is available (or the
socket is non-blocking), the poll() call is not necessary, and we can
just call recv() right away.
Closes GH-8092.
show more ...
|
|
Revision tags: php-8.1.2RC1, php-8.1.0, php-7.3.33, php-7.3.32, php-7.3.31, php-7.3.30 |
|
| #
b7a1633e |
| 08-Jul-2021 |
twosee |
Remove unused server_name variable
Closes GH-8760.
|
| #
0ac60d60 |
| 03-Sep-2021 |
twosee |
Micro optimizations for xp_ssl.c (#7447)
If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now.
Also fixed sni_server tests.
Co-
Micro optimizations for xp_ssl.c (#7447)
If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now.
Also fixed sni_server tests.
Co-authored-by: Nikita Popov <nikita.ppv@googlemail.com>
show more ...
|
| #
aa893c4a |
| 01-Sep-2021 |
twosee |
Simplify SSL_set_mode() calls (#7444)
SSL_set_mode() adds the mode set via bitmask in mode to ssl.
|
| #
74f75db0 |
| 15-May-2022 |
Jakub Zelenka |
Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint serve
Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint servers and
it is causing break for many users including potential majority
of those where the truncation attack is not applicable. For that reason
we try to keep behavior consitent with older OpenSSL versions which is
also the path chosen by some other languages and web servers.
Closes GH-8369
show more ...
|
| #
ef787bae |
| 10-Aug-2021 |
Nikita Popov |
Switch dh_param handling to EVP_PKEY API
|
| #
cd0cd3d3 |
| 01-Aug-2021 |
Kamil Tekiela |
Fix typos (#7327)
|
|
Revision tags: php-7.3.29 |
|
| #
7fd48264 |
| 27-May-2021 |
Christoph M. Becker |
Fix #76694: native Windows cert verification uses CN as sever name
This is not guaranteed to work, since the actual server name may only
be given as SAN. Since we're doing the peer veri
Fix #76694: native Windows cert verification uses CN as sever name
This is not guaranteed to work, since the actual server name may only
be given as SAN. Since we're doing the peer verification later anyway
(using the respective context options as appropriate), there is no need
to even supply a server name when verifying against the Windows cert
store.
Closes GH-7060.
show more ...
|
| #
c40231af |
| 12-May-2021 |
George Peter Banyard |
Mark various functions with void arguments.
This fixes a bunch of [-Wstrict-prototypes] warning,
because in C func() and func(void) have different semantics.
|
| #
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |
show more ...
|
|
Revision tags: php-7.3.28 |
|
| #
09efad61 |
| 08-Apr-2021 |
George Peter Banyard |
Use zend_string_equals_(literal_)ci() API more often
Also drive-by usage of zend_ini_parse_bool()
Closes GH-6844
|
|
Revision tags: php-7.3.27, php-7.3.26, php-7.3.26RC1, php-7.3.25, php-7.3.25RC1, php-7.3.24, php-7.3.24RC1 |
|
| #
5caaf40b |
| 29-Sep-2020 |
George Peter Banyard |
Introduce pseudo-keyword ZEND_FALLTHROUGH
And use it instead of comments
|
| #
db33af71 |
| 04-Mar-2021 |
twosee |
Remove duplicated SSL_CTX_set_verify()
Duplicated with line 920.
Our minimal OpenSSL version is v1.0.1 (See https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/ssl/ssl_lib.c#L20
Remove duplicated SSL_CTX_set_verify()
Duplicated with line 920.
Our minimal OpenSSL version is v1.0.1 (See https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/ssl/ssl_lib.c#L2039).
Removing it does not affect program behavior.
Closes GH-6751.
show more ...
|
| #
3e01f5af |
| 15-Jan-2021 |
Nikita Popov |
Replace zend_bool uses with bool
We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.
Of course, zend_bool
Replace zend_bool uses with bool
We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.
Of course, zend_bool is retained as an alias.
show more ...
|
| #
c3a6debc |
| 10-Oct-2020 |
Jakub Zelenka |
Bump minimal OpenSSL version to 1.0.2
|
|
Revision tags: php-7.3.23, php-7.3.23RC1, php-7.3.22, php-7.3.22RC1, php-7.3.21 |
|
| #
9f44eca6 |
| 01-Aug-2020 |
Máté Kocsis |
Convert resources to objects in ext/openssl
Closes GH-5860
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
|
|
Revision tags: php-7.3.21RC1, php-7.3.20 |
|
| #
0280b83e |
| 06-Jul-2020 |
Nikita Popov |
Avoid some unnecessary uses of no_separation=0
For the rare cases where references are part of the API,
construct them explicitly. Otherwise do not allow separation.
|
|
Revision tags: php-7.3.20RC1 |
|
| #
51e3cb39 |
| 18-Jun-2020 |
Nikita Popov |
Don't generate spurious warning is security_level not supported
People should not have to worry about the used openssl version
when downgrading security_level.
|
| #
eadd9807 |
| 09-Jun-2020 |
Christoph M. Becker |
Fix #62890: default_socket_timeout=-1 causes connection to timeout
While unencrypted connections ignore negative timeouts, SSL/TLS
connections did not special case that, and so always fa
Fix #62890: default_socket_timeout=-1 causes connection to timeout
While unencrypted connections ignore negative timeouts, SSL/TLS
connections did not special case that, and so always failed due to
timeout.
show more ...
|
|
Revision tags: php-7.3.19, php-7.4.7RC1, php-7.3.19RC1, php-7.3.18RC1 |
|
| #
94e09bfe |
| 19-Apr-2020 |
Joe Cai |
Fix #79497: Fix php_openssl_subtract_timeval()
I stumbled upon this while debugging a strange issue with
stream_socket_client() where it randomly throws out errors when
the connectio
Fix #79497: Fix php_openssl_subtract_timeval()
I stumbled upon this while debugging a strange issue with
stream_socket_client() where it randomly throws out errors when
the connection timeout is set to below 1s. The logic to calculate
time difference in php_openssl_subtract_timeval() is wrong when
a.tv_usec < b.tv_usec, causing connection errors before the timeout
is reached.
show more ...
|
