* master: (41 commits)
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
NEWS
Fix Request #67453 Allow to unserialize empty data.
Update copyright year to 2014
Update copyright year for re2c generated files
Update copyright year to 2014
Update copyright year for re2c files as well
Fix patch for bug #67436
fix failed test
Fix test on modern distro where old unsecure algo are disabled in openssl config. Testing recent algo should be enough to check this function.
Added tests for bug 67436
Fixed wrong XFAIL test - already fixed
Fix typo in Bug #67406 NEWS entry
Fix typo in Bug #67406 NEWS entry
...
Conflicts:
Zend/zend_compile.c
ext/session/session.c
ext/standard/array.c
ext/standard/http_fopen_wrapper.c
tests/classes/bug63462.phpt
* PHP-5.6:
Fix test on modern distro where old unsecure algo are disabled in openssl config. Testing recent algo should be enough to check this function.
* master: (77 commits)
NEWS entry for Fix potential segfault in dns_get_record()
NEWS entry for "Fix potential segfault in dns_get_record()"
NEWS entry for Fix potential segfault in dns_get_record(
Fix potential segfault in dns_get_record()
Revert "Add optional second arg to unserialize()"
5.5.15 now
update NEWS
Fix bug #66127 (Segmentation fault with ArrayObject unset)
5.4.31 next
Add NEWS. This doesn't need UPGRADING (or an RFC), IMO.
Fix broken test.
Add a mime type map generation script and update the header.
Move the mime type map out of php_cli_server.c for easier generation.
Replace the CLI server's linear search for extensions with a hash table.
fix test
Remove unused included file
NEWS
NEWS
NEWS
Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec
...
Conflicts:
Zend/zend_closures.c
Zend/zend_execute.c
Zend/zend_vm_def.h
Zend/zend_vm_execute.h
ext/spl/spl_array.c
ext/standard/basic_functions.c
ext/standard/dns.c
ext/standard/var.c
Switch to SHA1, which match internal openssl hardcoded algo.
In most case, won't even be noticed
- priority on user input (default_md)
- fallback on system config
- fallback on this default value
Recent system reject MD5 digest, noticed in bug36732.phpt failure.
While SHA1 is better than MD5, SHA256 is recommenced,
and defined as default algo in provided configuration on
recent system (Fedora 21, RHEL-7, ...). But the idea is to
keep in sync with openssl internal value for PHP internal value.
* PHP-5.6:
Set default Digest Message to use SHA1 instead of MD5 in openssl tests as MD5 signature are now rejected by newer openssl Version.
Add NEWS/UPGRADING notes (openssl + curl)
- New "SNI_server_certs" context option maps host names to
appropriate certs should client handshakes advertise the
SNI extension:
$ctx = stream_context_create(["ssl" => [
"local_cert" => "/path/to/cert.pem",
"SNI_server_certs" => [
"domain1.com" => "/path/to/domain1.pem",
"*.domain2.com" => "/path/to/domain2.pem",
"domain3.com" => "/path/to/domain3.pem"
]
]]);
- Prefixing a "*." will utilize the matching cert if a client
requests the primary host name or any subdomain thereof. So
in the above example our "domain2.pem" will be used for both
requests to "domain2.com" -and- "subdomain.domain2.com"
- The "SNI_server_certs" ctx option has no effect for client
streams.
- SNI support is enabled by default as of 5.6 for both servers
and clients. Servers must specify the "SNI_server_certs" array
to actually use the SNI extension, though.
- If the `"SNI_enabled" => false` ctx option is also passed then
"SNI_server_certs" has no effect.
- While supporting SNI by itself is enough to successfully
negotiate the TLS handshake with many clients, servers MUST
still specify a "local_cert" ctx option or run the risk of
connection failures from clients that do not support the SNI
extension.
- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_openssl_structs.h into xp_ssl.c
- Server-specific options now set on SSL_CTX instead of SSL
- Deprecate SNI_server_name ctx option
- Miscellaneous refactoring
Previously the "capture_peer_cert" SSL context option only
captured the peer's certificate if the verification routine
succeeded.
By also capturing the on verify failure applications have the
ability to parse the cert and ask users whether they wish to
proceed given the information presented by the peer.
- Clean up properly at all fail points in native Windows peer
verification routine
- Bring certificate usages and chain flags into line with chromium
implementation in windows environments
