#
3fc013b2 |
| 09-Jun-2023 |
Jakub Zelenka |
Fix CS and checking for IPv6 SAN verify
|
#
fd09728b |
| 28-Apr-2023 |
James Lucas |
Fix bug GH-9356: Incomplete SAN validation of IPv6 address IPv6 addresses are valid entries in subjectAltNames. Certificate Authorities may issue certificates including IPv6 addresses ex
Fix bug GH-9356: Incomplete SAN validation of IPv6 address IPv6 addresses are valid entries in subjectAltNames. Certificate Authorities may issue certificates including IPv6 addresses except if they fall within addresses in the RFC 4193 range. Google and CloudFlare provide IPv6 addresses in their DNS over HTTPS services. Internal CAs do not have those restrictions and can issue Unique local addresses in certificates. Closes GH-11145
show more ...
|
#
b09be29a |
| 25-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix incorrect error checking in php_openssl_set_server_dh_param() SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success and 0 on error. But only < 0 was checked which m
Fix incorrect error checking in php_openssl_set_server_dh_param() SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success and 0 on error. But only < 0 was checked which means that errors were never caught. Closes GH-10705.
show more ...
|
#
d9ff5e07 |
| 04-Aug-2022 |
Jakub Zelenka |
Fix GH-8472: stream_socket_accept result may have incorrect metadata
|
#
7ceae661 |
| 29-Jun-2022 |
David Carlier |
streams/xp_socket: fix clang build error with enum usage on bool condition. Fix targeted for oses defining those flags as enums (like Linux/glibc). `error: converting the enum const
streams/xp_socket: fix clang build error with enum usage on bool condition. Fix targeted for oses defining those flags as enums (like Linux/glibc). `error: converting the enum constant to a boolean [-Werror,-Wint-in-bool-context] } else if ((!sslsock->ssl_active && value == 0 && (MSG_DONTWAIT || !sslsock->s.is_blocked)) ||` Closes #8895.
show more ...
|
Revision tags: php-8.1.7RC1, php-8.1.4RC1, php-8.1.3 |
|
#
2d986310 |
| 09-Feb-2022 |
Max Kellermann |
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available If there is a zero timeout and MSG_DONTWAIT is available (or the socket is non-blocking), the poll() call is not necess
streams/xp_socket: eliminate poll() when MSG_DONTWAIT is available If there is a zero timeout and MSG_DONTWAIT is available (or the socket is non-blocking), the poll() call is not necessary, and we can just call recv() right away. Before this change: poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 0 (Timeout) poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348 poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "", 1, MSG_PEEK, NULL, NULL) = 0 After this change: recvfrom(4, 0x7ffe0cc719a0, 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=4, events=POLLIN|POLLERR|POLLHUP}], 1, 60000) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "HTTP/1.1 301 Moved Permanently\r\n"..., 8192, MSG_DONTWAIT, NULL, NULL) = 348 recvfrom(4, "", 1, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = 0 The first poll() is replaced by recvfrom(), and the third poll() is omitted completely. ext/openssl/xp_ssl: eliminate poll() when MSG_DONTWAIT is available If there is a zero timeout and MSG_DONTWAIT is available (or the socket is non-blocking), the poll() call is not necessary, and we can just call recv() right away. Closes GH-8092.
show more ...
|
Revision tags: php-8.1.2RC1, php-8.1.0, php-7.3.33, php-7.3.32, php-7.3.31, php-7.3.30 |
|
#
b7a1633e |
| 08-Jul-2021 |
twosee |
Remove unused server_name variable Closes GH-8760.
|
#
0ac60d60 |
| 03-Sep-2021 |
twosee |
Micro optimizations for xp_ssl.c (#7447) If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now. Also fixed sni_server tests. Co-
Micro optimizations for xp_ssl.c (#7447) If certfile/private_key points to a file that doesn't exist, it throw a warning and return failure now. Also fixed sni_server tests. Co-authored-by: Nikita Popov <nikita.ppv@googlemail.com>
show more ...
|
#
aa893c4a |
| 01-Sep-2021 |
twosee |
Simplify SSL_set_mode() calls (#7444) SSL_set_mode() adds the mode set via bitmask in mode to ssl.
|
#
74f75db0 |
| 15-May-2022 |
Jakub Zelenka |
Fix bug #79589: ssl3_read_n:unexpected eof while reading The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent truncation attack. However there are many non complaint serve
Fix bug #79589: ssl3_read_n:unexpected eof while reading The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent truncation attack. However there are many non complaint servers and it is causing break for many users including potential majority of those where the truncation attack is not applicable. For that reason we try to keep behavior consitent with older OpenSSL versions which is also the path chosen by some other languages and web servers. Closes GH-8369
show more ...
|
#
ef787bae |
| 10-Aug-2021 |
Nikita Popov |
Switch dh_param handling to EVP_PKEY API
|
#
cd0cd3d3 |
| 01-Aug-2021 |
Kamil Tekiela |
Fix typos (#7327)
|
Revision tags: php-7.3.29 |
|
#
7fd48264 |
| 27-May-2021 |
Christoph M. Becker |
Fix #76694: native Windows cert verification uses CN as sever name This is not guaranteed to work, since the actual server name may only be given as SAN. Since we're doing the peer veri
Fix #76694: native Windows cert verification uses CN as sever name This is not guaranteed to work, since the actual server name may only be given as SAN. Since we're doing the peer verification later anyway (using the respective context options as appropriate), there is no need to even supply a server name when verifying against the Windows cert store. Closes GH-7060.
show more ...
|
#
c40231af |
| 12-May-2021 |
George Peter Banyard |
Mark various functions with void arguments. This fixes a bunch of [-Wstrict-prototypes] warning, because in C func() and func(void) have different semantics.
|
#
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier". 3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted. 4. fixed indentation in some files before |
show more ...
|
Revision tags: php-7.3.28 |
|
#
09efad61 |
| 08-Apr-2021 |
George Peter Banyard |
Use zend_string_equals_(literal_)ci() API more often Also drive-by usage of zend_ini_parse_bool() Closes GH-6844
|
Revision tags: php-7.3.27, php-7.3.26, php-7.3.26RC1, php-7.3.25, php-7.3.25RC1, php-7.3.24, php-7.3.24RC1 |
|
#
5caaf40b |
| 29-Sep-2020 |
George Peter Banyard |
Introduce pseudo-keyword ZEND_FALLTHROUGH And use it instead of comments
|
#
db33af71 |
| 04-Mar-2021 |
twosee |
Remove duplicated SSL_CTX_set_verify() Duplicated with line 920. Our minimal OpenSSL version is v1.0.1 (See https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/ssl/ssl_lib.c#L20
Remove duplicated SSL_CTX_set_verify() Duplicated with line 920. Our minimal OpenSSL version is v1.0.1 (See https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/ssl/ssl_lib.c#L2039). Removing it does not affect program behavior. Closes GH-6751.
show more ...
|
#
3e01f5af |
| 15-Jan-2021 |
Nikita Popov |
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool is retained as an alias.
show more ...
|
#
c3a6debc |
| 10-Oct-2020 |
Jakub Zelenka |
Bump minimal OpenSSL version to 1.0.2
|
Revision tags: php-7.3.23, php-7.3.23RC1, php-7.3.22, php-7.3.22RC1, php-7.3.21 |
|
#
9f44eca6 |
| 01-Aug-2020 |
Máté Kocsis |
Convert resources to objects in ext/openssl Closes GH-5860 Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
|
Revision tags: php-7.3.21RC1, php-7.3.20 |
|
#
0280b83e |
| 06-Jul-2020 |
Nikita Popov |
Avoid some unnecessary uses of no_separation=0 For the rare cases where references are part of the API, construct them explicitly. Otherwise do not allow separation.
|
Revision tags: php-7.3.20RC1 |
|
#
51e3cb39 |
| 18-Jun-2020 |
Nikita Popov |
Don't generate spurious warning is security_level not supported People should not have to worry about the used openssl version when downgrading security_level.
|
#
eadd9807 |
| 09-Jun-2020 |
Christoph M. Becker |
Fix #62890: default_socket_timeout=-1 causes connection to timeout While unencrypted connections ignore negative timeouts, SSL/TLS connections did not special case that, and so always fa
Fix #62890: default_socket_timeout=-1 causes connection to timeout While unencrypted connections ignore negative timeouts, SSL/TLS connections did not special case that, and so always failed due to timeout.
show more ...
|
Revision tags: php-7.3.19, php-7.4.7RC1, php-7.3.19RC1, php-7.3.18RC1 |
|
#
94e09bfe |
| 19-Apr-2020 |
Joe Cai |
Fix #79497: Fix php_openssl_subtract_timeval() I stumbled upon this while debugging a strange issue with stream_socket_client() where it randomly throws out errors when the connectio
Fix #79497: Fix php_openssl_subtract_timeval() I stumbled upon this while debugging a strange issue with stream_socket_client() where it randomly throws out errors when the connection timeout is set to below 1s. The logic to calculate time difference in php_openssl_subtract_timeval() is wrong when a.tv_usec < b.tv_usec, causing connection errors before the timeout is reached.
show more ...
|