archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-20 09:24:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
php-src/ext/openssl/tests/stream_security_level.phpt
Nikita Popov 3ea57cf838 Reduce security level in some OpenSSL tests 
This allows tests using older protocols and algorithms to work
under OpenSSL 3.

Also account for minor changes in error reporting.
2021-08-04 10:00:40 +02:00

75 lines
2.6 KiB
PHP
Raw Permalink Blame History

--TEST--
security_level setting to prohibit cert
--EXTENSIONS--
openssl
--SKIPIF--
<?php
if (OPENSSL_VERSION_NUMBER < 0x10100000) die("skip OpenSSL >= v1.1.0 required");
if (!function_exists("proc_open")) die("skip no proc_open");
?>
--FILE--
<?php
// https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
$securityLevel = 2;
// Security level 2 refuses certs signed by keys with length of less than 2048 bits
$keyLength = 1024;
$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp';
$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp';
$serverCode = <<<'CODE'
$serverUri = "ssl://127.0.0.1:64322";
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$serverCtx = stream_context_create(['ssl' => [
'local_cert' => '%s',
// Make sure the server side starts up successfully if the default security level is
// higher. We want to test the error at the client side.
'security_level' => 0,
]]);
$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
phpt_notify();
@stream_socket_accept($server, 1);
CODE;
$serverCode = sprintf($serverCode, $certFile);
$clientCode = <<<'CODE'
$serverUri = "ssl://127.0.0.1:64322";
$clientFlags = STREAM_CLIENT_CONNECT;
$clientCtx = stream_context_create(['ssl' => [
'security_level' => %d,
'verify_peer' => true,
'cafile' => '%s',
'verify_peer_name' => false
]]);
phpt_wait();
$client = stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx);
var_dump($client);
CODE;
$clientCode = sprintf($clientCode, $securityLevel, $cacertFile);
include 'CertificateGenerator.inc';
$certificateGenerator = new CertificateGenerator();
$certificateGenerator->saveCaCert($cacertFile);
$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile, $keyLength);
include 'ServerClientTestCase.inc';
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
?>
--CLEAN--
<?php
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level.pem.tmp');
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_security_level-ca.pem.tmp');
?>
--EXPECTF--
Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:%s:SSL routines:%S:certificate verify failed in %s : eval()'d code on line %d
Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d
Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64322 (Unknown error) in %s : eval()'d code on line %d
bool(false)
Reference in a new issue View git blame Copy permalink