Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71758
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98240 invoked from network); 29 Jan 2014 22:08:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Jan 2014 22:08:35 -0000
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.181 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.213.181 mail-ig0-f181.google.com  
Received: from [209.85.213.181] ([209.85.213.181:65115] helo=mail-ig0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2B/D7-52228-2EB79E25 for <internals@lists.php.net>; Wed, 29 Jan 2014 17:08:35 -0500
Received: by mail-ig0-f181.google.com with SMTP id j1so5749150iga.2
        for <internals@lists.php.net>; Wed, 29 Jan 2014 14:08:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=rEPpUdAeF/U9haGTMAWTVedxA+D3p3jU1Q4GYV0oPm4=;
        b=lxEhB5Gw1wxg/CkzQ70fg6qQBryn2MICbaoKv5QtPjDoj8T8JDMPwNYnZ14PQYl/5b
         mrRCCv0usu8kYfvbN0J9eOG+jghD8d7T5zABsc1kuO9bqZnMqrXyDi63pkC056FaXRfw
         QcYftRhtgeYTbCZGQtg1MdyDN3wtPwoyjaNxo7jezyUFE9QD+ifgVnaX5vvaivysfcFy
         +0pDRVMtmP2rYEaHPajPp7c4Rxvc016iaUppUtjLQtWN3nNQUoESmW7Z8F7xem6yedpr
         0f+aYUhuynzsSxyAOqfXirZSi0gR73VbCJoG7dGaTBt9TS5148xKQbvLinAR/63/vq4F
         c8zw==
MIME-Version: 1.0
X-Received: by 10.42.47.201 with SMTP id p9mr8241463icf.4.1391033311524; Wed,
 29 Jan 2014 14:08:31 -0800 (PST)
Received: by 10.50.29.140 with HTTP; Wed, 29 Jan 2014 14:08:31 -0800 (PST)
Date: Wed, 29 Jan 2014 17:08:31 -0500
Message-ID: <CAH8MpnnMzOW85b7=+qN=O7k7MDTWDt6hf2iZ34BoSXBS5OLjuA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>, anatol.php@belski.net
Content-Type: multipart/alternative; boundary=90e6ba6149b2677c1f04f1232ec0
Subject: Re: Verify peers by default, merge error
From: rdlowrey@gmail.com (Daniel Lowrey)

--90e6ba6149b2677c1f04f1232ec0
Content-Type: text/plain; charset=ISO-8859-1

>
http://git.php.net/?p=php-src.git;a=commitdiff;h=6edc84fcdfc8e76507bc73122310fff4b6170b88
>
> I've just pushed a fix here
>
>
http://git.php.net/?p=php-src.git;a=commitdiff;h=c91ad8233b46e1605b225c782efc3131f158d9be
>
> After that openssl in master seems to be doing fine, but could you please
> verify it?
>
> Thanks
> Anatol

Yes, Chris mentioned this yesterday but I was unaware of it until he pinged
me on twitter this afternoon:

http://news.php.net/php.cvs/75832

The problem arises from an incorrect version number comparison against
Openssl:

#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)

0x0090806fL corresponds to 0.9.8e but the SNI functionality relying on this
version check was not introduced until OpenSSL 0.9.8f. The fix is to change
the version number to 0x00908070L which will accurately reflect the
presence of the required C functionality.

Enabling SNI by default (if available) is the only sensible option when
verifying peers by default. Your fix commit here solves the build problem
but also prevents users from utilizing SNI in their transfers. I'll merge
the appropriate fix shortly. Would've gotten to it sooner had I been aware
:)

Regards,

Daniel

--90e6ba6149b2677c1f04f1232ec0--