1--TEST-- 2security_level setting to prohibit cert 3--EXTENSIONS-- 4openssl 5--SKIPIF-- 6<?php 7if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required"); 8if (!function_exists("proc_open")) die("skip no proc_open"); 9?> 10--FILE-- 11<?php 12// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html 13$securityLevel = 2; 14 15// Security level 2 refuses certs signed by keys with length of less than 2048 bits 16$keyLength = 1024; 17 18$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp'; 19$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp'; 20 21$serverCode = <<<'CODE' 22 $serverUri = "ssl://127.0.0.1:64322"; 23 $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; 24 $serverCtx = stream_context_create(['ssl' => [ 25 'local_cert' => '%s', 26 // Make sure the server side starts up successfully if the default security level is 27 // higher. We want to test the error at the client side. 28 'security_level' => 0, 29 ]]); 30 31 $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); 32 phpt_notify(); 33 34 @stream_socket_accept($server, 1); 35CODE; 36$serverCode = sprintf($serverCode, $certFile); 37 38$clientCode = <<<'CODE' 39 $serverUri = "ssl://127.0.0.1:64322"; 40 $clientFlags = STREAM_CLIENT_CONNECT; 41 $clientCtx = stream_context_create(['ssl' => [ 42 'security_level' => %d, 43 'verify_peer' => true, 44 'cafile' => '%s', 45 'verify_peer_name' => false 46 ]]); 47 48 phpt_wait(); 49 $client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx); 50 51 var_dump($client); 52CODE; 53$clientCode = sprintf($clientCode, $securityLevel, $cacertFile); 54 55include 'CertificateGenerator.inc'; 56$certificateGenerator = new CertificateGenerator(); 57$certificateGenerator->saveCaCert($cacertFile); 58$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile, $keyLength); 59 60include 'ServerClientTestCase.inc'; 61ServerClientTestCase::getInstance()->run($clientCode, $serverCode); 62?> 63--CLEAN-- 64<?php 65@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp'); 66@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp'); 67?> 68--EXPECTF-- 69Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: 70error:%s:SSL routines:%S:certificate verify failed in %s : eval()'d code on line %d 71 72Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d 73 74Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64322 (Unknown error) in %s : eval()'d code on line %d 75bool(false) 76
