1--TEST--
2security_level setting to prohibit cert
3--SKIPIF--
4<?php
5if (!extension_loaded("openssl")) die("skip openssl not loaded");
6if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required");
7if (!function_exists("proc_open")) die("skip no proc_open");
8?>
9--FILE--
10<?php
11// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
12$securityLevel = 2;
13
14// Security level 2 refuses certs signed by keys with length of less than 2048 bits
15$keyLength = 1024;
16
17$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp';
18$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp';
19
20$serverCode = <<<'CODE'
21    $serverUri = "ssl://127.0.0.1:64322";
22    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
23    $serverCtx = stream_context_create(['ssl' => [
24        'local_cert' => '%s',
25        // Make sure the server side starts up successfully if the default security level is
26        // higher. We want to test the error at the client side.
27        'security_level' => 1,
28    ]]);
29
30    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
31    phpt_notify();
32
33    @stream_socket_accept($server, 1);
34CODE;
35$serverCode = sprintf($serverCode, $certFile);
36
37$clientCode = <<<'CODE'
38    $serverUri = "ssl://127.0.0.1:64322";
39    $clientFlags = STREAM_CLIENT_CONNECT;
40    $clientCtx = stream_context_create(['ssl' => [
41        'security_level' => %d,
42        'verify_peer' => true,
43        'cafile' => '%s',
44        'verify_peer_name' => false
45    ]]);
46
47    phpt_wait();
48    $client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx);
49
50    var_dump($client);
51CODE;
52$clientCode = sprintf($clientCode, $securityLevel, $cacertFile);
53
54include 'CertificateGenerator.inc';
55$certificateGenerator = new CertificateGenerator();
56$certificateGenerator->saveCaCert($cacertFile);
57$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile, $keyLength);
58
59include 'ServerClientTestCase.inc';
60ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
61?>
62--CLEAN--
63<?php
64@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp');
65@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp');
66?>
67--EXPECTF--
68Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
69error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d
70
71Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d
72
73Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64322 (Unknown error) in %s : eval()'d code on line %d
74bool(false)
75