- edited description
SSL Context Method... to select the use of TLS 1.1 and 1.2 explictly...
when create ssl context to use ssl with eventbufferevent they cannot explicite use all method that SSL_CTX_new(3) expose...
https://www.openssl.org/docs/ssl/SSL_CTX_new.html
they cannot use TLSv1_1_server_method/TLSv1_2_server_method or TLSv1_1_client_method/TLSv1_2_client_method to force the use of the tls1.1/tls1.2 for example...
but the more important the mis of sslctx option to set explicitly the protocole autorized to use with SSL_CTX_set_options (or SSL_set_options) with that the use of SSLv23_server_method will be the ideal solution to correctly manage protocol selection...
https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
like adding new sslctx option EventSslContext::OPT_NO_NO_SSLV2 that set
SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv2);
the same for SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2.
and also can be usefull to add the option to activate : SSL_OP_CIPHER_SERVER_PREFERENCE
Comments (4)
-
reporter -
reporter - edited description
-
reporter et voila ! it's done !
plus the SSL_OP_CIPHER_SERVER_PREFERENCE options !
diff --git a/classes/ssl_context.c b/classes/ssl_context.c index 6690913..3957c3e 100644 --- a/classes/ssl_context.c +++ b/classes/ssl_context.c @@ -219,6 +219,48 @@ static inline void set_ssl_ctx_options(SSL_CTX *ctx, HashTable *ht TSRMLS_DC) convert_to_string_ex(ppzval); capath = Z_STRVAL_PP(ppzval); break; + case PHP_EVENT_OPT_NO_SSLv2: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_SSLv2); + } + break; + case PHP_EVENT_OPT_NO_SSLv3: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_SSLv3); + } + break; + case PHP_EVENT_OPT_NO_TLSv1: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1); + } + break; + case PHP_EVENT_OPT_NO_TLSv1_1: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1_1); + } + break; + case PHP_EVENT_OPT_NO_TLSv1_2: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_NO_TLSv1_2); + } + break; + case PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE: + if (zval_is_true(*ppzval)) { + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } else { + SSL_CTX_clear_options(ctx,SSL_OP_CIPHER_SERVER_PREFERENCE); + } + break; case PHP_EVENT_OPT_ALLOW_SELF_SIGNED: /* Skip */ break; @@ -299,6 +341,18 @@ static zend_always_inline SSL_METHOD *get_ssl_method(long in_method TSRMLS_DC) case PHP_EVENT_TLS_SERVER_METHOD: method = (SSL_METHOD *) TLSv1_server_method(); break; + case PHP_EVENT_TLSv11_CLIENT_METHOD: + method = (SSL_METHOD *) TLSv1_1_client_method(); + break; + case PHP_EVENT_TLSv11_SERVER_METHOD: + method = (SSL_METHOD *) TLSv1_1_server_method(); + break; + case PHP_EVENT_TLSv12_CLIENT_METHOD: + method = (SSL_METHOD *) TLSv1_2_client_method(); + break; + case PHP_EVENT_TLSv12_SERVER_METHOD: + method = (SSL_METHOD *) TLSv1_2_server_method(); + break; default: return NULL; } diff --git a/php_event.c b/php_event.c index 3de793b..8896a96 100644 --- a/php_event.c +++ b/php_event.c @@ -1258,6 +1258,10 @@ PHP_MINIT_FUNCTION(event) REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, SSLv3_SERVER_METHOD, PHP_EVENT_SSLv3_SERVER_METHOD); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, SSLv23_SERVER_METHOD, PHP_EVENT_SSLv23_SERVER_METHOD); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLS_SERVER_METHOD, PHP_EVENT_TLS_SERVER_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv11_CLIENT_METHOD, PHP_EVENT_TLSv11_CLIENT_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv11_SERVER_METHOD, PHP_EVENT_TLSv11_SERVER_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv12_CLIENT_METHOD, PHP_EVENT_TLSv12_CLIENT_METHOD); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, TLSv12_SERVER_METHOD, PHP_EVENT_TLSv12_SERVER_METHOD); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_LOCAL_CERT, PHP_EVENT_OPT_LOCAL_CERT); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_LOCAL_PK, PHP_EVENT_OPT_LOCAL_PK); @@ -1268,6 +1272,12 @@ PHP_MINIT_FUNCTION(event) REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_VERIFY_PEER, PHP_EVENT_OPT_VERIFY_PEER); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_VERIFY_DEPTH, PHP_EVENT_OPT_VERIFY_DEPTH); REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_CIPHERS, PHP_EVENT_OPT_CIPHERS); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_SSLv2, PHP_EVENT_OPT_NO_SSLv2); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_SSLv3, PHP_EVENT_OPT_NO_SSLv3); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1, PHP_EVENT_OPT_NO_TLSv1); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1_1, PHP_EVENT_OPT_NO_TLSv1_1); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_NO_TLSv1_2, PHP_EVENT_OPT_NO_TLSv1_2); + REGISTER_EVENT_CLASS_CONST_LONG(php_event_ssl_context_ce, OPT_CIPHER_SERVER_PREFERENCE, PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE); /* Initialize openssl library */ SSL_library_init(); diff --git a/src/structs.h b/src/structs.h index a726918..662784d 100644 --- a/src/structs.h +++ b/src/structs.h @@ -206,7 +206,13 @@ enum { PHP_EVENT_OPT_ALLOW_SELF_SIGNED = 6, PHP_EVENT_OPT_VERIFY_PEER = 7, PHP_EVENT_OPT_VERIFY_DEPTH = 8, - PHP_EVENT_OPT_CIPHERS = 9 + PHP_EVENT_OPT_CIPHERS = 9, + PHP_EVENT_OPT_NO_SSLv2 = 10, + PHP_EVENT_OPT_NO_SSLv3 = 11, + PHP_EVENT_OPT_NO_TLSv1 = 12, + PHP_EVENT_OPT_NO_TLSv1_1 = 13, + PHP_EVENT_OPT_NO_TLSv1_2 = 14, + PHP_EVENT_OPT_CIPHER_SERVER_PREFERENCE = 15 }; enum { @@ -217,7 +223,11 @@ enum { PHP_EVENT_SSLv2_SERVER_METHOD = 5, PHP_EVENT_SSLv3_SERVER_METHOD = 6, PHP_EVENT_SSLv23_SERVER_METHOD = 7, - PHP_EVENT_TLS_SERVER_METHOD = 8 + PHP_EVENT_TLS_SERVER_METHOD = 8, + PHP_EVENT_TLSv11_CLIENT_METHOD = 9, + PHP_EVENT_TLSv11_SERVER_METHOD = 10, + PHP_EVENT_TLSv12_CLIENT_METHOD = 11, + PHP_EVENT_TLSv12_SERVER_METHOD = 12 }; typedef struct _php_event_ssl_context_t {
-
repo owner - changed status to resolved
Hey, thanks for your contribution! :)
Now it's there in
master
. - Log in to comment