1--TEST-- 2security_level setting to prohibit cert 3--SKIPIF-- 4<?php 5if (!extension_loaded("openssl")) die("skip openssl not loaded"); 6if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required"); 7if (!function_exists("proc_open")) die("skip no proc_open"); 8?> 9--FILE-- 10<?php 11// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html 12$securityLevel = 2; 13 14// Security level 2 refuses certs signed by keys with length of less than 2048 bits 15$keyLength = 1024; 16 17$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp'; 18$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp'; 19 20$serverCode = <<<'CODE' 21 $serverUri = "ssl://127.0.0.1:64322"; 22 $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; 23 $serverCtx = stream_context_create(['ssl' => [ 24 'local_cert' => '%s', 25 // Make sure the server side starts up successfully if the default security level is 26 // higher. We want to test the error at the client side. 27 'security_level' => 1, 28 ]]); 29 30 $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); 31 phpt_notify(); 32 33 @stream_socket_accept($server, 1); 34CODE; 35$serverCode = sprintf($serverCode, $certFile); 36 37$clientCode = <<<'CODE' 38 $serverUri = "ssl://127.0.0.1:64322"; 39 $clientFlags = STREAM_CLIENT_CONNECT; 40 $clientCtx = stream_context_create(['ssl' => [ 41 'security_level' => %d, 42 'verify_peer' => true, 43 'cafile' => '%s', 44 'verify_peer_name' => false 45 ]]); 46 47 phpt_wait(); 48 $client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx); 49 50 var_dump($client); 51CODE; 52$clientCode = sprintf($clientCode, $securityLevel, $cacertFile); 53 54include 'CertificateGenerator.inc'; 55$certificateGenerator = new CertificateGenerator(); 56$certificateGenerator->saveCaCert($cacertFile); 57$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile, $keyLength); 58 59include 'ServerClientTestCase.inc'; 60ServerClientTestCase::getInstance()->run($clientCode, $serverCode); 61?> 62--CLEAN-- 63<?php 64@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp'); 65@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp'); 66?> 67--EXPECTF-- 68Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: 69error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d 70 71Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d 72 73Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64322 (Unknown error) in %s : eval()'d code on line %d 74bool(false) 75
