Added SoapClient constructor option 'ssl_method' to specify ssl method

[Iversion]

SSL behavior was defaulting to SSLv23 which will always send the Client Hello
message in SSLv2. This sometimes results in a connection rejection when the
SOAP server rejects any traffic using SSLv2. This occurs on many IIS web
servers as well as Oracle/Sun web servers as well. SSLv2 has been deemed
highly insecure and has been deprecated for some time.

The new optional SoapClient constructor option: ssl_method, takes an argument
from the list of constants defined below:

SOAP_SSL_METHOD_TLS
SOAP_SSL_METHOD_SSLv2
SOAP_SSL_METHOD_SSLv3
SOAP_SSL_METHOD_SSLv23

If the ssl_method option is not specified it will default to the behavior
prior to this patch of using SSLv23. Specifying the SSL method will use the
proper URI protocol of 'sslv2', 'sslv3', 'tls' or the default sslv23 URI
protocol, 'ssl' when the PHP stream is created.

If a proxy is specified in the SoapClient constructor and
the connection is set to use SSL an unencrypted stream will first be created
and encryption applied to the stream using the stream_socket_enable_crypto
client methods. If no SSL method is specified in the SoapClient constructor
the encryption method that is applied to an SSL connection through a proxy
will be STREAM_CRYPTO_METHOD_SSLv23_CLIENT which is the current default
behavior.

The ability to specify an SSL method is important to implement as other PHP
functions such as cURL have the ability to specify the SSL version to use.

[php-pulls]

Comment on behalf of stas at php.net:

Merged by Dmitry.

[dargolf]

Which TLS version is this?

[Iversion]

if TLS is specified it will use TLS 1.0. This is a similar issue to this bug report: https://bugs.php.net/bug.php?id=65329

Essentially, specifying TLS will use the STREAM_CRYPTO_METHOD_TLS_CLIENT option when the OpenSSL library encryption methods are called. Specifying the crypto method STREAM_CRYPTO_METHOD_SSLv23_CLIENT will negotiate TLS 1.1 and 1.2 if OpenSSL is recent enough. The latest versions of the OpenSSL extensions do give specifications for crypto methods for TLS 1.1 and 1.2:

STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

Given that the OpenSSL extension has been brought up to date with the new crypto methods, the SOAP extension could be patched to include a specification for TLS 1.1 and 1.2 as well.

On Jan 9, 2014, at 5:35 AM, dargolf [email protected] wrote:

In ext/soap/php_http.c:

@@ -189,7 +190,41 @@ static php_stream* http_connect(zval* this_ptr, php_url *phpurl, int use_ssl, ph
old_error_reporting = EG(error_reporting);
EG(error_reporting) &= ~(E_WARNING|E_NOTICE|E_USER_WARNING|E_USER_NOTICE);

• namelen = spprintf(&name, 0, "%s://%s:%d", (use_ssl && !*use_proxy)? "ssl" : "tcp", host, port);
• /* Changed ternary operator to an if/else so that additional comparisons can be done on the ssl_method property */
• if (use_ssl && !*use_proxy) {

•   if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_ssl_method", sizeof("_ssl_method"), (void **) &tmp) == SUCCESS &&
  

•       Z_TYPE_PP(tmp) == IS_LONG) {
  

•       /\* uses contants declared in soap.c to determine ssl uri protocol */
  

•       switch (Z_LVAL_PP(tmp)) {
  

•           case SOAP_SSL_METHOD_TLS:
  

•               protocol = "tls";
  

  Which TLS version is this?

—
Reply to this email directly or view it on GitHub.