- edited description
SSL Context Method... to select the use of TLS 1.1 and 1.2 explictly...
Issue #11
resolved
when create ssl context to use ssl with eventbufferevent they cannot explicite use all method that SSL_CTX_new(3) expose...
https://www.openssl.org/docs/ssl/SSL_CTX_new.html
they cannot use TLSv1_1_server_method/TLSv1_2_server_method or TLSv1_1_client_method/TLSv1_2_client_method to force the use of the tls1.1/tls1.2 for example...
but the more important the mis of sslctx option to set explicitly the protocole autorized to use with SSL_CTX_set_options (or SSL_set_options) with that the use of SSLv23_server_method will be the ideal solution to correctly manage protocol selection...
https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
like adding new sslctx option EventSslContext::OPT_NO_NO_SSLV2 that set
SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv2);
the same for SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2.
and also can be usefull to add the option to activate : SSL_OP_CIPHER_SERVER_PREFERENCE
Comments (4)
-
reporter
-
reporter
- edited description
-
reporter
et voila ! it's done !
plus the SSL_OP_CIPHER_SERVER_PREFERENCE options !
diff --git a/classes/ssl_context.c b/classes/ssl_context.c index 6690913..3957c3e 100644 --- a/classes/ssl_context.c +++ b/classes/ssl_context.c @@ -219,6 +219,48 @@ static inline void set_ssl_ctx_options(SSL_CTX *ctx, HashTable *ht TSRMLS_DC) convert_to_string_ex(ppzval); capath = Z_STRVAL_PP(ppzval); break; + case PHP_EVENT_OPT_NO_SSLv2: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_SSLv2); + } + break; + case PHP_EVENT_OPT_NO_SSLv3: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_SSLv3); + } + break; + case PHP_EVENT_OPT_NO_TLSv1: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1); + } + break; + case PHP_EVENT_OPT_NO_TLSv1_1: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1_1); + } + break; + case PHP_EVENT_OPT_NO_TLSv1_2: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1_2); + } + break; + case PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_CIPHER_SERVER_PREFERENCE); + } + break; case PHP_EVENT_OPT_ALLOW_SELF_SIGNED: /* Skip */ break; @@ -299,6 +341,18 @@ static zend_always_inline SSL_METHOD *get_ssl_method(long in_method TSRMLS_DC) case PHP_EVENT_TLS_SERVER_METHOD: method = (SSL_METHOD *) TLSv1_server_method(); break; + case PHP_EVENT_TLSv11_CLIENT_METHOD: + method = (SSL_METHOD *) TLSv1_1_client_method(); + break; + case PHP_EVENT_TLSv11_SERVER_METHOD: + method = (SSL_METHOD *) TLSv1_1_server_method(); + break; + case PHP_EVENT_TLSv12_CLIENT_METHOD: + method = (SSL_METHOD *) TLSv1_2_client_method(); + break; + case PHP_EVENT_TLSv12_SERVER_METHOD: + method = (SSL_METHOD *) TLSv1_2_server_method(); + break; default: return NULL; } diff --git a/php_event.c b/php_event.c index 3de793b..8896a96 100644 --- a/php_event.c +++ b/php_event.c @@ -1258,6 +1258,10 @@ PHP_MINIT_FUNCTION(event) REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, SSLv3_SERVER_METHOD, PHP_EVENT_SSLv3_SERVER_METHOD); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, SSLv23_SERVER_METHOD, PHP_EVENT_SSLv23_SERVER_METHOD); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLS_SERVER_METHOD, PHP_EVENT_TLS_SERVER_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv11_CLIENT_METHOD, PHP_EVENT_TLSv11_CLIENT_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv11_SERVER_METHOD, PHP_EVENT_TLSv11_SERVER_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv12_CLIENT_METHOD, PHP_EVENT_TLSv12_CLIENT_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv12_SERVER_METHOD, PHP_EVENT_TLSv12_SERVER_METHOD); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_LOCAL_CERT, PHP_EVENT_OPT_LOCAL_CERT); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_LOCAL_PK, PHP_EVENT_OPT_LOCAL_PK); @@ -1268,6 +1272,12 @@ PHP_MINIT_FUNCTION(event) REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_VERIFY_PEER, PHP_EVENT_OPT_VERIFY_PEER); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_VERIFY_DEPTH, PHP_EVENT_OPT_VERIFY_DEPTH); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_CIPHERS, PHP_EVENT_OPT_CIPHERS); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_SSLv2, PHP_EVENT_OPT_NO_SSLv2); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_SSLv3, PHP_EVENT_OPT_NO_SSLv3); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1, PHP_EVENT_OPT_NO_TLSv1); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1_1, PHP_EVENT_OPT_NO_TLSv1_1); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1_2, PHP_EVENT_OPT_NO_TLSv1_2); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_CIPHER_SERVER_PREFERENCE, PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE); /* Initialize openssl library */ SSL_library_init(); diff --git a/src/structs.h b/src/structs.h index a726918..662784d 100644 --- a/src/structs.h +++ b/src/structs.h @@ -206,7 +206,13 @@ enum { PHP_EVENT_OPT_ALLOW_SELF_SIGNED = 6, PHP_EVENT_OPT_VERIFY_PEER = 7, PHP_EVENT_OPT_VERIFY_DEPTH = 8, - PHP_EVENT_OPT_CIPHERS = 9 + PHP_EVENT_OPT_CIPHERS = 9, + PHP_EVENT_OPT_NO_SSLv2 = 10, + PHP_EVENT_OPT_NO_SSLv3 = 11, + PHP_EVENT_OPT_NO_TLSv1 = 12, + PHP_EVENT_OPT_NO_TLSv1_1 = 13, + PHP_EVENT_OPT_NO_TLSv1_2 = 14, + PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE = 15 }; enum { @@ -217,7 +223,11 @@ enum { PHP_EVENT_SSLv2_SERVER_METHOD = 5, PHP_EVENT_SSLv3_SERVER_METHOD = 6, PHP_EVENT_SSLv23_SERVER_METHOD = 7, - PHP_EVENT_TLS_SERVER_METHOD = 8 + PHP_EVENT_TLS_SERVER_METHOD = 8, + PHP_EVENT_TLSv11_CLIENT_METHOD = 9, + PHP_EVENT_TLSv11_SERVER_METHOD = 10, + PHP_EVENT_TLSv12_CLIENT_METHOD = 11, + PHP_EVENT_TLSv12_SERVER_METHOD = 12 }; typedef struct _php_event_ssl_context_t { -
repo owner
- changed status to resolved
Hey, thanks for your contribution! :)
Now it's there in
master. - Log in to comment
