79 lines
2.5 KiB
Diff
79 lines
2.5 KiB
Diff
From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Zelenka <bukka@php.net>
|
|
Date: Sun, 15 May 2022 13:49:17 +0100
|
|
Subject: [PATCH] Fix bug #79589: ssl3_read_n:unexpected eof while reading
|
|
|
|
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
|
|
truncation attack. However there are many non complaint servers and
|
|
it is causing break for many users including potential majority
|
|
of those where the truncation attack is not applicable. For that reason
|
|
we try to keep behavior consitent with older OpenSSL versions which is
|
|
also the path chosen by some other languages and web servers.
|
|
|
|
Closes GH-8369
|
|
---
|
|
NEWS | 4 ++++
|
|
ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
|
|
ext/openssl/xp_ssl.c | 5 +++++
|
|
3 files changed, 30 insertions(+)
|
|
create mode 100644 ext/openssl/tests/bug79589.phpt
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index e270ad3f1821..83a891b47d06 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -11,6 +11,10 @@ PHP NEWS
|
|
. Fixed bug GH-8461 (tracing JIT crash after function/method change).
|
|
(Arnaud, Dmitry)
|
|
|
|
+- OpenSSL:
|
|
+ . Fixed bug #79589 (error:14095126:SSL routines:ssl3_read_n:unexpected eof
|
|
+ while reading). (Jakub Zelenka)
|
|
+
|
|
- SPL:
|
|
. Fixed bug GH-8235 (iterator_count() may run indefinitely). (cmb)
|
|
|
|
diff --git a/ext/openssl/tests/bug79589.phpt b/ext/openssl/tests/bug79589.phpt
|
|
new file mode 100644
|
|
index 000000000000..5d277e8c63ce
|
|
--- /dev/null
|
|
+++ b/ext/openssl/tests/bug79589.phpt
|
|
@@ -0,0 +1,21 @@
|
|
+--TEST--
|
|
+Bug #65538: TLS unexpected EOF failure
|
|
+--EXTENSIONS--
|
|
+openssl
|
|
+--SKIPIF--
|
|
+<?php
|
|
+if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
|
|
+?>
|
|
+--FILE--
|
|
+<?php
|
|
+
|
|
+$release = file_get_contents(
|
|
+ 'https://chromedriver.storage.googleapis.com/LATEST_RELEASE',
|
|
+ false,
|
|
+ stream_context_create(['ssl' => ['verify_peer'=> false]])
|
|
+);
|
|
+echo gettype($release);
|
|
+
|
|
+?>
|
|
+--EXPECT--
|
|
+string
|
|
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
|
|
index 918b3ca5b21d..ce23fb29f429 100644
|
|
--- a/ext/openssl/xp_ssl.c
|
|
+++ b/ext/openssl/xp_ssl.c
|
|
@@ -1639,6 +1639,11 @@ int php_openssl_setup_crypto(php_stream *stream,
|
|
|
|
ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
|
|
|
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
|
|
+ /* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
|
|
+ ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
|
|
+#endif
|
|
+
|
|
if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
|
|
ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
|
|
}
|