diff options
author | Remi Collet <remi@remirepo.net> | 2024-08-26 15:37:32 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2024-08-26 15:37:32 +0200 |
commit | 950ea724334b6cbc8a51aa9a7d32f42d5dced8b7 (patch) | |
tree | 7b5e87c39e55b9bf5727acc17e29f246d8909a49 /php-7.4.26-openssl3.patch | |
parent | 67b70950b734db9603280d90bf3b066354ab1fbc (diff) |
add backport for https://bugs.php.net/79589
error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading
Diffstat (limited to 'php-7.4.26-openssl3.patch')
-rw-r--r-- | php-7.4.26-openssl3.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/php-7.4.26-openssl3.patch b/php-7.4.26-openssl3.patch index c23c517..aec6b96 100644 --- a/php-7.4.26-openssl3.patch +++ b/php-7.4.26-openssl3.patch @@ -2602,3 +2602,39 @@ index b136729cb5..d0fd976376 100644 -- 2.41.0 +From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Sun, 15 May 2022 13:49:17 +0100 +Subject: [PATCH] Fix bug #79589: ssl3_read_n:unexpected eof while reading + +The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent +truncation attack. However there are many non complaint servers and +it is causing break for many users including potential majority +of those where the truncation attack is not applicable. For that reason +we try to keep behavior consitent with older OpenSSL versions which is +also the path chosen by some other languages and web servers. + +Closes GH-8369 +--- + NEWS | 4 ++++ + ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++ + ext/openssl/xp_ssl.c | 5 +++++ + 3 files changed, 30 insertions(+) + create mode 100644 ext/openssl/tests/bug79589.phpt + +diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c +index 918b3ca5b21df..ce23fb29f4296 100644 +--- a/ext/openssl/xp_ssl.c ++++ b/ext/openssl/xp_ssl.c +@@ -1652,6 +1652,11 @@ int php_openssl_setup_crypto(php_stream *stream, + + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + ++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF ++ /* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */ ++ ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF; ++#endif ++ + if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) { + ssl_ctx_options |= SSL_OP_NO_COMPRESSION; + } |