Fix SSL handling when server does not support TLS

thekid · thekid · commit 387d48f4fce0 · 2019-12-24T16:52:13.000+01:00
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -3,6 +3,11 @@ HTTP protocol support for the XP Framework ChangeLog
 
 ## ?.?.? / ????-??-??
 
+## 9.1.4 / 2019-12-24
+
+* Fixed SSL handling when the server does not support TLS, see PR #25
+  (@patzerr, @thekid).
+
 ## 9.1.3 / 2019-12-24
 
 * Fixed HTTP *HEAD* requests when using `ext/curl` - @patzerr, @thekid
diff --git a/src/main/php/peer/http/SSLSocketHttpTransport.class.php b/src/main/php/peer/http/SSLSocketHttpTransport.class.php
@@ -1,8 +1,9 @@
 <?php namespace peer\http;
 
 use io\IOException;
-use peer\SSLSocket;
-use peer\TLSSocket;
+use peer\CryptoSocket;
+use peer\URL;
+use util\Objects;
 
 /**
  * Transport via SSL sockets
@@ -12,6 +13,23 @@
  * @see  xp://peer.http.HttpConnection
  */
 class SSLSocketHttpTransport extends SocketHttpTransport {
+  private static $crypto= [
+    'tls'    => STREAM_CRYPTO_METHOD_TLS_CLIENT,
+    'tlsv10' => STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT,
+    'tlsv11' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
+    'tlsv12' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
+    'sslv3'  => STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
+    'sslv23' => STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
+    'sslv2'  => STREAM_CRYPTO_METHOD_SSLv2_CLIENT
+  ];
+
+  static function __static() {
+
+    // See https://github.com/php/php-src/commit/5c05f5e6d3d31a03c152fe90697bdc3e33193ced, PHP 7.4+
+    if (defined('STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT')) {
+      self::$crypto['tlsv13']= STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT;
+    }
+  }
 
   /**
    * Creates a socket - overridden from parent class
@@ -20,32 +38,16 @@ class SSLSocketHttpTransport extends SocketHttpTransport {
    * @param   string $arg
    * @return  peer.Socket
    */
-  protected function newSocket(\peer\URL $url, $arg) {
-    if ('tls' === $arg) {
-      return new TLSSocket($url->getHost(), $url->getPort(443), null);
+  protected function newSocket(URL $url, $arg) {
+    $socket= new CryptoSocket($url->getHost(), $url->getPort(443));
+    if (null === $arg) {
+      $socket->cryptoImpl= STREAM_CRYPTO_METHOD_ANY_CLIENT;
+    } else if ('v' === $arg[0]) {
+      $socket->cryptoImpl= self::$crypto['ssl'.$arg];
     } else {
-      sscanf($arg, 'v%d', $version);
-      return new SSLSocket($url->getHost(), $url->getPort(443), null, $version);
-    }
-  }
-
-  /**
-   * Enable cryptography on a given socket
-   *
-   * @param  peer.Socket $s
-   * @param  [:int] $methods
-   * @return void
-   * @throws io.IOException
-   */
-  protected function enable($s, $methods) {
-    $handle= $s->getHandle();
-    foreach ($methods as $name => $method) {
-      if (stream_socket_enable_crypto($handle, true, $method)) {
-        $this->cat && $this->cat->debug('@@@ Enabling', $name, 'cryptography');
-        return;
-      }
+      $socket->cryptoImpl= self::$crypto[$arg];
     }
-    throw new IOException('Cannot establish secure connection, tried '.implode(', ', array_keys($methods)));
+    return $socket;
   }
 
   /**
@@ -54,44 +56,41 @@ protected function enable($s, $methods) {
    * @param  peer.Socket $s Connection to proxy
    * @param  peer.http.HttpRequest $request
    * @param  peer.URL $url
+   * @return void
    * @throws io.IOException
    */
   protected function proxy($s, $request, $url) {
-    static $methods= [
-      'tls://'    => STREAM_CRYPTO_METHOD_TLS_CLIENT,
-      'tlsv10://' => STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT,
-      'tlsv11://' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
-      'tlsv12://' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
-      'sslv3://'  => STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
-      'sslv23://' => STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
-      'sslv2://'  => STREAM_CRYPTO_METHOD_SSLv2_CLIENT,
-    ];
-
     $connect= sprintf(
       "CONNECT %1\$s:%2\$d HTTP/1.1\r\nHost: %1\$s:%2\$d\r\n\r\n",
       $url->getHost(),
       $url->getPort(443)
     );
     $this->cat && $this->cat->info('>>>', substr($connect, 0, strpos($connect, "\r")));
     $s->write($connect);
+
+    // Verify we are actually talking to a HTTP proxy
     $handshake= $s->read();
+    if (4 !== ($r= sscanf($handshake, "HTTP/%*d.%*d %d %[^\r]", $status, $message))) {
+      throw new IOException('Proxy did not answer with valid HTTP: '.$handshake);
+    }
 
-    if (4 === ($r= sscanf($handshake, "HTTP/%*d.%*d %d %[^\r]", $status, $message))) {
-      while ($line= $s->readLine()) { $handshake.= $line."\n"; }
-      $this->cat && $this->cat->info('<<<', $handshake);
+    // Verify proxy answers with a 200 status code
+    while ($line= $s->readLine()) $handshake.= $line."\n";
+    $this->cat && $this->cat->info('<<<', $handshake);
+    if (200 !== $status) {
+      throw new IOException('Cannot connect through proxy: #'.$status.' '.$message);
+    }
 
-      if (200 === $status) {
-        stream_context_set_option($s->getHandle(), 'ssl', 'peer_name', $url->getHost());
-        if (isset($methods[$this->socket->_prefix])) {
-          $this->enable($s, [$this->socket->_prefix => $methods[$this->socket->_prefix]]);
-        } else {
-          $this->enable($s, $methods);
-        }
-      } else {
-        throw new IOException('Cannot connect through proxy: #'.$status.' '.$message);
+    // Enable cryptography
+    stream_context_set_option($s->getHandle(), 'ssl', 'peer_name', $url->getHost());
+    if (!stream_socket_enable_crypto($s->getHandle(), true, $this->socket->cryptoImpl)) {
+      $methods= '';
+      foreach (self::$crypto as $name => $flag) {
+        if ($flag === $this->socket->cryptoImpl & $flag) $methods.= ', '.$name;
       }
-    } else {
-      throw new IOException('Proxy did not answer with valid HTTP: '.$handshake);
+      throw new IOException('Cannot establish secure connection, tried '.substr($methods, 2));
     }
+
+    $this->cat && $this->cat->debug('@@@ Enabled cryptography: '.Objects::stringOf(stream_get_meta_data($s->getHandle())['crypto']));
   }
 }
