PHPC-633: Include libmongoc SSL, crypto, and SASL details in phpinfo() #498
Conversation
| # elif defined(MONGOC_ENABLE_SSL_SECURE_TRANSPORT) | ||
| php_info_print_table_row(2, "libmongoc SSL library", "Secure Transport"); | ||
| # elif defined(MONGOC_ENABLE_SSL_SECURE_CHANNEL) | ||
| php_info_print_table_row(2, "libmongoc SSL library", "Secure Channel"); |
There was a problem hiding this comment.
this looks like something that could easily break in the future.
Should mongoc provide a function to get this information?
Otherwise, when we start supporting gnuTLS for example, this will break
There was a problem hiding this comment.
Having libmongoc return a string would be helpful, but we won't have that available in 1.5.x anyway. I suppose we should have a final #else case that prints "other" or "unknown". This would only affect system library users running older versions of the PHP extension.
| php_info_print_table_row(2, "libbson headers version", BSON_VERSION_S); | ||
| php_info_print_table_row(2, "libbson library version", bson_get_version()); | ||
| #else | ||
| php_info_print_table_row(2, "libbson bundled version", BSON_VERSION_S); |
There was a problem hiding this comment.
Including "bundled" here was more clear than simply saying "libbson version". I also moved the libbson output above libmongoc in advance of adding the additional SSL, crypto, and SASL information.
| #else | ||
| php_info_print_table_row(2, "libbson version", BSON_VERSION_S); | ||
| php_info_print_table_row(2, "libmongoc SSL", "disabled"); |
There was a problem hiding this comment.
I realize we don't support building without SSL support, but this is for completeness' sake. I also wanted to keep binary enabled/disabled output for "libmongoc SSL", to match "libmongoc SASL".
| # elif defined(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO) | ||
| php_info_print_table_row(2, "libmongoc crypto library", "Common Crypto"); | ||
| # elif defined(MONGOC_ENABLE_CRYPTO_CNG) | ||
| php_info_print_table_row(2, "libmongoc crypto library", "CNG"); |
There was a problem hiding this comment.
These values can technically be inferred from the SSL library, but I didn't see the harm in including them.
| # ifdef MONGOC_ENABLE_CRYPTO_SYSTEM_PROFILE | ||
| php_info_print_table_row(2, "libmongoc crypto system profile", "enabled"); | ||
| # else | ||
| php_info_print_table_row(2, "libmongoc crypto system profile", "disabled"); |
There was a problem hiding this comment.
AFAIK, this is currently only relevant to OpenSSL, which uses libcrypto. In any event, I liked including it at all times (if crypto is enabled) for consistency.
@bjori: Am I correct in assuming this will never apply to LibreSSL, despite the fact that it also uses libcrypto?
There was a problem hiding this comment.
this isn't related to libcrypto. This is related to which SSL/TLS ciphers we announce support for during SSL/TLS handshake.
The default for libressl's libtls is the string "secure" which currently is an alias for TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE.
We do not overwrite this and have no intention of exposing such option.
The default for OpenSSL is "every cipher I have ever heard of", so instead of that, we explicitly set the list of ciphers to HIGH:!EXPORT:!aNULL@STRENGTH which gets resolved into ciphers that noone really knows which are, but are what the "OpenSSL community" seems to recommend.
There is a way to configure OpenSSL to set a default ciphers for everything, rather then "support everything", and some distro's do this, in which case, explicitly providing a list of ciphers will overwrite the ciphers the distro wants to supports.
To be honest, I don't actually know if you can do such thing in libtls. It seems unlikely as it doesn't provide any additional value since the default configure is secure by default.
| php_info_print_table_row(2, "libmongoc SASL", "enabled"); | ||
| #else | ||
| php_info_print_table_row(2, "libmongoc SASL", "disabled"); | ||
| #endif |
There was a problem hiding this comment.
I don't think we care about reporting MONGOC_HAVE_SASL_CLIENT_DONE here.
| MongoDB extension version => 1.%d.%d%S | ||
| MongoDB extension stability => %s | ||
| libbson bundled version => 1.%d.%d%S | ||
| libmongoc bundled version => 1.%d.%d%S |
There was a problem hiding this comment.
libbson and libmongoc follow the same version format with optional trailing strings, so I updated these patterns to match our own.
| libmongoc crypto => enabled | ||
| libmongoc crypto library => %s | ||
| libmongoc crypto system profile => %s | ||
| libmongoc SASL => enabled |
There was a problem hiding this comment.
I'm making assumptions that CI will build with SSL and SASL, but make no assumptions about the SSL and cypto libraries. This should continue to work once we start supporting other libraries for Darwin and Windows.
https://jira.mongodb.org/browse/PHPC-633
Supersedes #265