Skip to content
This repository was archived by the owner on Feb 1, 2022. It is now read-only.

Commit 487bfc0

Browse files
jmikolajmikola
committed
PHP-1414: SSL peer verification should reference stream->context options
1 parent e35d72d commit 487bfc0

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

io_stream.c

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -117,13 +117,6 @@ void* php_mongo_io_stream_connect(mongo_con_manager *manager, mongo_server_def *
117117
mongo_manager_log(manager, MLOG_CON, MLOG_FINE, "Connecting to %s (%s) without connection timeout (default_socket_timeout will be used)", dsn, hash);
118118
}
119119

120-
/* Capture the server certificate, if SSL is enabled, so we can do further verification */
121-
if (options->ssl && options->ctx) {
122-
zval capture;
123-
ZVAL_BOOL(&capture, 1);
124-
php_stream_context_set_option(options->ctx, "ssl", "capture_peer_cert", &capture);
125-
}
126-
127120
zend_replace_error_handling(EH_THROW, mongo_ce_ConnectionException, &error_handler TSRMLS_CC);
128121
stream = php_stream_xport_create(dsn, dsn_len, 0, STREAM_XPORT_CLIENT | STREAM_XPORT_CONNECT, hash, options->connectTimeoutMS > 0 ? &ctimeout : NULL, (php_stream_context *)options->ctx, &errmsg, &errcode);
129122
zend_restore_error_handling(&error_handler TSRMLS_CC);
@@ -148,6 +141,13 @@ void* php_mongo_io_stream_connect(mongo_con_manager *manager, mongo_server_def *
148141
if (options->ssl) {
149142
int crypto_enabled;
150143

144+
/* Capture the server certificate so we can do further verification */
145+
if (stream->context) {
146+
zval capture;
147+
ZVAL_BOOL(&capture, 1);
148+
php_stream_context_set_option(stream->context, "ssl", "capture_peer_cert", &capture);
149+
}
150+
151151
zend_replace_error_handling(EH_THROW, mongo_ce_ConnectionException, &error_handler TSRMLS_CC);
152152

153153
/* PHP 5.6.0 until 5.6.7 screwed things a bit, see https://bugs.php.net/bug.php?id=69195 */
@@ -202,7 +202,7 @@ void* php_mongo_io_stream_connect(mongo_con_manager *manager, mongo_server_def *
202202

203203
#if PHP_VERSION_ID < 50600
204204
/* This option is available since PHP 5.6.0 */
205-
if (php_stream_context_get_option(options->ctx, "ssl", "verify_peer_name", &verify_peer_name) == SUCCESS && zend_is_true(*verify_peer_name)) {
205+
if (php_stream_context_get_option(stream->context, "ssl", "verify_peer_name", &verify_peer_name) == SUCCESS && zend_is_true(*verify_peer_name)) {
206206
if (php_mongo_verify_hostname(server, cert TSRMLS_CC) == FAILURE) {
207207
*error_message = strdup("Cannot verify remote certificate: Hostname doesn't match");
208208
mongo_manager_log(manager, MLOG_CON, MLOG_WARN, "Remote certificate SubjectAltName or CN does not match '%s'", server->host);
@@ -214,7 +214,7 @@ void* php_mongo_io_stream_connect(mongo_con_manager *manager, mongo_server_def *
214214
mongo_manager_log(manager, MLOG_CON, MLOG_WARN, "Not verifying peer name for %s:%d, please use 'verify_peer_name' SSL context option", server->host, server->port);
215215
}
216216
#endif
217-
if (php_stream_context_get_option(options->ctx, "ssl", "verify_expiry", &verify_expiry) == SUCCESS && zend_is_true(*verify_expiry)) {
217+
if (php_stream_context_get_option(stream->context, "ssl", "verify_expiry", &verify_expiry) == SUCCESS && zend_is_true(*verify_expiry)) {
218218
time_t current = time(NULL);
219219
time_t valid_from = php_mongo_asn1_time_to_time_t(X509_get_notBefore(cert) TSRMLS_CC);
220220
time_t valid_until = php_mongo_asn1_time_to_time_t(X509_get_notAfter(cert) TSRMLS_CC);

0 commit comments

Comments
 (0)