SSL Context Method... to select the use of TLS 1.1 and 1.2 explictly...

Issue #11 resolved
Mathieu CARBONNEAUX
created an issue

when create ssl context to use ssl with eventbufferevent they cannot explicite use all method that SSL_CTX_new(3) expose...

https://www.openssl.org/docs/ssl/SSL_CTX_new.html

they cannot use TLSv1_1_server_method/TLSv1_2_server_method or TLSv1_1_client_method/TLSv1_2_client_method to force the use of the tls1.1/tls1.2 for example...

but the more important the mis of sslctx option to set explicitly the protocole autorized to use with SSL_CTX_set_options (or SSL_set_options) with that the use of SSLv23_server_method will be the ideal solution to correctly manage protocol selection...

https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

like adding new sslctx option EventSslContext::OPT_NO_NO_SSLV2 that set

SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv2);

the same for SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2.

and also can be usefull to add the option to activate : SSL_OP_CIPHER_SERVER_PREFERENCE

Comments (4)

  1. Mathieu CARBONNEAUX reporter

    et voila ! it's done !

    plus the SSL_OP_CIPHER_SERVER_PREFERENCE options !

    diff --git a/classes/ssl_context.c b/classes/ssl_context.c
    index 6690913..3957c3e 100644
    --- a/classes/ssl_context.c
    +++ b/classes/ssl_context.c
    @@ -219,6 +219,48 @@ static inline void set_ssl_ctx_options(SSL_CTX *ctx, HashTable *ht TSRMLS_DC)
                                    convert_to_string_ex(ppzval);
                                    capath = Z_STRVAL_PP(ppzval);
                                    break;
    +                       case PHP_EVENT_OPT_NO_SSLv2:
    +                               if (zval_is_true(*ppzval)) {
    +                                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
    +                               } else {
    +                                 SSL_CTX_clear_options(ctx,SSL_OP_NO_SSLv2);
    +                               }
    +                               break;
    +                       case PHP_EVENT_OPT_NO_SSLv3:
    +                               if (zval_is_true(*ppzval)) {
    +                                 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
    +                               } else {
    +                                 SSL_CTX_clear_options(ctx,SSL_OP_NO_SSLv3);
    +                               }
    +                               break;
    +                       case PHP_EVENT_OPT_NO_TLSv1:
    +                               if (zval_is_true(*ppzval)) {
    +                                 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
    +                               } else {
    +                                 SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1);
    +                               }
    +                               break;
    +                       case PHP_EVENT_OPT_NO_TLSv1_1:
    +                               if (zval_is_true(*ppzval)) {
    +                                 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
    +                               } else {
    +                                 SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1_1);
    +                               }
    +                               break;
    +                       case PHP_EVENT_OPT_NO_TLSv1_2:
    +                               if (zval_is_true(*ppzval)) {
    +                                 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
    +                               } else {
    +                                 SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1_2);
    +                               }
    +                               break;
    +                       case PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE:
    +                               if (zval_is_true(*ppzval)) {
    +                                 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
    +                               } else {
    +                                 SSL_CTX_clear_options(ctx,SSL_OP_CIPHER_SERVER_PREFERENCE);
    +                               }
    +                               break;
                            case PHP_EVENT_OPT_ALLOW_SELF_SIGNED:
                                    /* Skip */
                                    break;
    @@ -299,6 +341,18 @@ static zend_always_inline SSL_METHOD *get_ssl_method(long in_method TSRMLS_DC)
            case PHP_EVENT_TLS_SERVER_METHOD:
                    method = (SSL_METHOD *) TLSv1_server_method();
                    break;
    +       case PHP_EVENT_TLSv11_CLIENT_METHOD:
    +               method = (SSL_METHOD *) TLSv1_1_client_method();
    +                       break;
    +       case PHP_EVENT_TLSv11_SERVER_METHOD:
    +               method = (SSL_METHOD *) TLSv1_1_server_method();
    +               break;
    +       case PHP_EVENT_TLSv12_CLIENT_METHOD:
    +               method = (SSL_METHOD *) TLSv1_2_client_method();
    +                       break;
    +       case PHP_EVENT_TLSv12_SERVER_METHOD:
    +               method = (SSL_METHOD *) TLSv1_2_server_method();
    +               break;
            default:
                    return NULL;
            }
    diff --git a/php_event.c b/php_event.c
    index 3de793b..8896a96 100644
    --- a/php_event.c
    +++ b/php_event.c
    @@ -1258,6 +1258,10 @@ PHP_MINIT_FUNCTION(event)
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, SSLv3_SERVER_METHOD,  PHP_EVENT_SSLv3_SERVER_METHOD);
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, SSLv23_SERVER_METHOD, PHP_EVENT_SSLv23_SERVER_METHOD);
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLS_SERVER_METHOD,    PHP_EVENT_TLS_SERVER_METHOD);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv11_CLIENT_METHOD,    PHP_EVENT_TLSv11_CLIENT_METHOD);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv11_SERVER_METHOD,    PHP_EVENT_TLSv11_SERVER_METHOD);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv12_CLIENT_METHOD,    PHP_EVENT_TLSv12_CLIENT_METHOD);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv12_SERVER_METHOD,    PHP_EVENT_TLSv12_SERVER_METHOD);
    
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_LOCAL_CERT,        PHP_EVENT_OPT_LOCAL_CERT);
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_LOCAL_PK,          PHP_EVENT_OPT_LOCAL_PK);
    @@ -1268,6 +1272,12 @@ PHP_MINIT_FUNCTION(event)
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_VERIFY_PEER,       PHP_EVENT_OPT_VERIFY_PEER);
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_VERIFY_DEPTH,      PHP_EVENT_OPT_VERIFY_DEPTH);
            REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_CIPHERS,           PHP_EVENT_OPT_CIPHERS);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_SSLv2,          PHP_EVENT_OPT_NO_SSLv2);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_SSLv3,          PHP_EVENT_OPT_NO_SSLv3);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1,          PHP_EVENT_OPT_NO_TLSv1);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1_1,        PHP_EVENT_OPT_NO_TLSv1_1);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1_2,        PHP_EVENT_OPT_NO_TLSv1_2);
    +       REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_CIPHER_SERVER_PREFERENCE,      PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE);
    
            /* Initialize openssl library */
            SSL_library_init();
    diff --git a/src/structs.h b/src/structs.h
    index a726918..662784d 100644
    --- a/src/structs.h
    +++ b/src/structs.h
    @@ -206,7 +206,13 @@ enum {
            PHP_EVENT_OPT_ALLOW_SELF_SIGNED = 6,
            PHP_EVENT_OPT_VERIFY_PEER       = 7,
            PHP_EVENT_OPT_VERIFY_DEPTH      = 8,
    -       PHP_EVENT_OPT_CIPHERS           = 9
    +       PHP_EVENT_OPT_CIPHERS           = 9,
    +       PHP_EVENT_OPT_NO_SSLv2          = 10,
    +       PHP_EVENT_OPT_NO_SSLv3          = 11,
    +       PHP_EVENT_OPT_NO_TLSv1          = 12,
    +       PHP_EVENT_OPT_NO_TLSv1_1        = 13,
    +       PHP_EVENT_OPT_NO_TLSv1_2        = 14,
    +       PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE = 15
     };
    
     enum {
    @@ -217,7 +223,11 @@ enum {
         PHP_EVENT_SSLv2_SERVER_METHOD  = 5,
         PHP_EVENT_SSLv3_SERVER_METHOD  = 6,
         PHP_EVENT_SSLv23_SERVER_METHOD = 7,
    -    PHP_EVENT_TLS_SERVER_METHOD    = 8
    +    PHP_EVENT_TLS_SERVER_METHOD    = 8,
    +    PHP_EVENT_TLSv11_CLIENT_METHOD    = 9,
    +    PHP_EVENT_TLSv11_SERVER_METHOD    = 10,
    +    PHP_EVENT_TLSv12_CLIENT_METHOD    = 11,
    +    PHP_EVENT_TLSv12_SERVER_METHOD    = 12
     };
    
     typedef struct _php_event_ssl_context_t {
    
  2. Log in to comment