1--TEST--
2security_level setting to prohibit cert
3--SKIPIF--
4<?php
5if (!extension_loaded("openssl")) die("skip openssl not loaded");
6if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required");
7if (!function_exists("proc_open")) die("skip no proc_open");
8?>
9--FILE--
10<?php
11// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
12$securityLevel = 2;
13
14// Security level 2 refuses certs signed by keys with length of less than 2048 bits
15$keyLength = 1024;
16
17$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp';
18$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp';
19
20$serverCode = <<<'CODE'
21	$serverUri = "ssl://127.0.0.1:64322";
22	$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
23	$serverCtx = stream_context_create(['ssl' => [
24		'local_cert' => '%s'
25	]]);
26
27	$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
28	phpt_notify();
29
30	@stream_socket_accept($server, 1);
31CODE;
32$serverCode = sprintf($serverCode, $certFile);
33
34$clientCode = <<<'CODE'
35	$serverUri = "ssl://127.0.0.1:64322";
36	$clientFlags = STREAM_CLIENT_CONNECT;
37	$clientCtx = stream_context_create(['ssl' => [
38		'security_level' => %d,
39		'verify_peer' => true,
40		'cafile' => '%s',
41		'verify_peer_name' => false
42	]]);
43
44	phpt_wait();
45	$client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx);
46
47	var_dump($client);
48CODE;
49$clientCode = sprintf($clientCode, $securityLevel, $cacertFile);
50
51include 'CertificateGenerator.inc';
52$certificateGenerator = new CertificateGenerator();
53$certificateGenerator->saveCaCert($cacertFile);
54$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile, $keyLength);
55
56include 'ServerClientTestCase.inc';
57ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
58?>
59--CLEAN--
60<?php
61@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp');
62@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp');
63?>
64--EXPECTF--
65Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
66error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d
67
68Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d
69
70Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64322 (Unknown error) in %s : eval()'d code on line %d
71bool(false)
72