[packages/php.git] / php-mysql-ssl-context.patch

commit 8292260515a904b4d515484145c78f33a06ae1ae
Author: Andrey Hristov <andrey@php.net>
Date:   Wed Oct 21 15:10:24 2015 +0200

    Fix for Bug #68344 	MySQLi does not provide way to disable peer certificate validation

diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
index 78540f1..349d6db 100644
--- a/ext/mysqli/tests/bug51647.phpt
+++ b/ext/mysqli/tests/bug51647.phpt
@@ -65,9 +65,43 @@ $link->close();
 	} else {
 		if (!$row = $res->fetch_assoc())
 			printf("[006] [%d] %s\n", $link->errno, $link->error);
+		if (!strlen($row["Value"]))
+			printf("[007] Empty cipher. No encrytion!");
 	}
 
 	var_dump($row);
+	$link->close();
+
+	if (!is_object($link = mysqli_init()))
+		printf("[008] Cannot create link\n");
+
+	if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
+		printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+	}
+
+	if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
+		if (1064 == $link->errno) {
+			/* ERROR 1064 (42000): You have an error in your SQL syntax;  = sql strict mode */
+			if ($res = $link->query("SHOW STATUS")) {
+				while ($row = $res->fetch_assoc())
+					if ($row['Variable_name'] == 'Ssl_cipher')
+						break;
+			} else {
+				printf("[010] [%d] %s\n", $link->errno, $link->error);
+			}
+		} else {
+			printf("[011] [%d] %s\n", $link->errno, $link->error);
+		}
+	} else {
+		if (!$row = $res->fetch_assoc())
+			printf("[012] [%d] %s\n", $link->errno, $link->error);
+		if (!strlen($row["Value"]))
+			printf("[013] Empty cipher. No encrytion!");
+	}
+
+	var_dump($row);
+
+	$link->close();
 
 	print "done!";
 ?>
@@ -78,4 +112,10 @@ array(2) {
   ["Value"]=>
   string(%d) "%S"
 }
+array(2) {
+  ["Variable_name"]=>
+  string(10) "Ssl_cipher"
+  ["Value"]=>
+  string(%d) "%S"
+}
 done!
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 69f4b7a..4cbe9de 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		zval verify_peer_zval;
 		ZVAL_TRUE(&verify_peer_zval);
 		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
+	} else {
+		zval verify_peer_zval;
+		ZVAL_FALSE(&verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
 	if (net->data->options.ssl_cert) {
 		zval cert_zval;
@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 	if (net->data->options.ssl_capath) {
 		zval capath_zval;
 		ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
-		php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
+		php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
 	}
 	if (net->data->options.ssl_passphrase) {
 		zval passphrase_zval;
commit afd31489d0d9999f701467e99ef2b40794eed196
Author: Andrey Hristov <andrey@php.net>
Date:   Thu Oct 22 11:48:53 2015 +0200

    Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation

diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
index e028d60..198ed83 100644
--- a/ext/mysqli/mysqli.c
+++ b/ext/mysqli/mysqli.c
@@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
+#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
+	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#endif
 #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
index dd0f769..1cb31cc 100644
--- a/ext/mysqli/tests/mysqli_constants.phpt
+++ b/ext/mysqli/tests/mysqli_constants.phpt
@@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
 		$expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
 	}
 
+	if ($version >= 50033 || $IS_MYSQLND) {
+		$expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
+	}
 
 	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
 	if ($version >= 50606 || $IS_MYSQLND) {
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 4cbe9de..7b164ac 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
 		php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
 	}
-	if (net->data->options.ssl_verify_peer) {
-		zval verify_peer_zval;
-		ZVAL_TRUE(&verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
-	} else {
+	{
 		zval verify_peer_zval;
-		ZVAL_FALSE(&verify_peer_zval);
+		ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
 		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
 		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
commit 6d51b7b2e3468601acdaaf9041c9131b5aa47f98
Author: Andrey Hristov <andrey@php.net>
Date:   Tue Oct 27 12:59:09 2015 +0100

    Another Fix for Bug #68344  MySQLi does not provide way to disable peer certificate validation
    Added the possibility to explicitly state that the peer certificate should not be checked.
    Back to the default - checking the certificate.
    Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
    Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)
    
    If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
    then no verification takes place.

diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
index 198ed83..5e40d19 100644
--- a/ext/mysqli/mysqli.c
+++ b/ext/mysqli/mysqli.c
@@ -717,6 +717,9 @@ PHP_MINIT_FUNCTION(mysqli)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS | CONST_PERSISTENT);
 #ifdef CLIENT_SSL_VERIFY_SERVER_CERT
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#if defined(MYSQLI_USE_MYSQLND)
+	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT", CLIENT_SSL_DONT_VERIFY_SERVER_CERT, CONST_CS | CONST_PERSISTENT);
+#endif
 #endif
 #if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) || defined(MYSQLI_USE_MYSQLND)
 	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS | CONST_PERSISTENT);
diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
index 349d6db..7385538 100644
--- a/ext/mysqli/tests/bug51647.phpt
+++ b/ext/mysqli/tests/bug51647.phpt
@@ -41,11 +41,7 @@ $link->close();
 	if (!is_object($link = mysqli_init()))
 		printf("[001] Cannot create link\n");
 
-	$path_to_pems = !$IS_MYSQLND? "ext/mysqli/tests/" : "";
-	if (!$link->ssl_set("{$path_to_pems}client-key.pem", "{$path_to_pems}client-cert.pem", "{$path_to_pems}cacert.pem","",""))
-		printf("[002] [%d] %s\n", $link->errno, $link->error);
-
-	if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket)) {
+	if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)) {
 		printf("[003] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
 	}
 
@@ -67,9 +63,9 @@ $link->close();
 			printf("[006] [%d] %s\n", $link->errno, $link->error);
 		if (!strlen($row["Value"]))
 			printf("[007] Empty cipher. No encrytion!");
+		var_dump($row);
 	}
 
-	var_dump($row);
 	$link->close();
 
 	if (!is_object($link = mysqli_init()))
@@ -97,10 +93,9 @@ $link->close();
 			printf("[012] [%d] %s\n", $link->errno, $link->error);
 		if (!strlen($row["Value"]))
 			printf("[013] Empty cipher. No encrytion!");
+		var_dump($row);
 	}
 
-	var_dump($row);
-
 	$link->close();
 
 	print "done!";
diff --git a/ext/mysqli/tests/bug55283.phpt b/ext/mysqli/tests/bug55283.phpt
index d03daae..a10c604 100644
--- a/ext/mysqli/tests/bug55283.phpt
+++ b/ext/mysqli/tests/bug55283.phpt
@@ -40,7 +40,7 @@ $link->close();
 	$db1 = new mysqli();
 
 
-	$flags = MYSQLI_CLIENT_SSL;
+	$flags = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
 
 	$link = mysqli_init();
 	mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
diff --git a/ext/mysqli/tests/connect.inc b/ext/mysqli/tests/connect.inc
index 67ce60a..606d1d3 100644
--- a/ext/mysqli/tests/connect.inc
+++ b/ext/mysqli/tests/connect.inc
@@ -9,7 +9,7 @@
 	$driver    = new mysqli_driver;
 
 	$host      = getenv("MYSQL_TEST_HOST")     ? getenv("MYSQL_TEST_HOST") : "127.0.0.1";
-	$port      = getenv("MYSQL_TEST_PORT")     ? getenv("MYSQL_TEST_PORT") : 3308;
+	$port      = getenv("MYSQL_TEST_PORT")     ? getenv("MYSQL_TEST_PORT") : 3306;
 	$user      = getenv("MYSQL_TEST_USER")     ? getenv("MYSQL_TEST_USER") : "root";
 	$passwd    = getenv("MYSQL_TEST_PASSWD")   ? getenv("MYSQL_TEST_PASSWD") : "";
 	$db        = getenv("MYSQL_TEST_DB")       ? getenv("MYSQL_TEST_DB") : "test";
@@ -87,9 +87,8 @@
 		function my_mysqli_connect($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
 			global $connect_flags;
 
-			$flags = ($enable_env_flags) ? $connect_flags : false;
-
-			if ($flags !== false) {
+			$flags = $enable_env_flags? $connect_flags:0;
+			if ($flags !== 0) {
 				$link = mysqli_init();
 				if (!mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags))
 					$link = false;
@@ -109,7 +108,7 @@
 			global $connect_flags;
 
 			if ($enable_env_flags)
-				$flags & $connect_flags;
+				$flags = $flags | $connect_flags;
 
 			return mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags);
 		}
@@ -118,7 +117,7 @@
 			public function __construct($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
 				global $connect_flags;
 
-				$flags = ($enable_env_flags) ? $connect_flags : false;
+				$flags = ($enable_env_flags) ? $connect_flags : 0;
 
 				if ($flags !== false) {
 					parent::init();
diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
index 1cb31cc..cc5fa9f 100644
--- a/ext/mysqli/tests/mysqli_constants.phpt
+++ b/ext/mysqli/tests/mysqli_constants.phpt
@@ -139,6 +139,9 @@ require_once('skipifconnectfailure.inc');
 	if ($version >= 50033 || $IS_MYSQLND) {
 		$expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
 	}
+	if ($IS_MYSQLND) {
+		$expected_constants['MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'] = true;
+	}
 
 	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
 	if ($version >= 50606 || $IS_MYSQLND) {
diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c
index f008986..94a3149 100644
--- a/ext/mysqlnd/mysqlnd.c
+++ b/ext/mysqlnd/mysqlnd.c
@@ -472,6 +472,7 @@ mysqlnd_switch_to_ssl_if_needed(
 	DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA=	%d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0);
 	DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS=	%d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0);
 	DBG_INF_FMT("CLIENT_SESSION_TRACK=		%d", mysql_flags & CLIENT_SESSION_TRACK? 1:0);
+	DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT=	%d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0);
 	DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT=	%d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0);
 	DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS=		%d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0);
 
@@ -495,7 +496,11 @@ mysqlnd_switch_to_ssl_if_needed(
 		if (server_has_ssl == FALSE) {
 			goto close_conn;
 		} else {
-			zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE;
+			enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT?
+												MYSQLND_SSL_PEER_VERIFY:
+												(mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT?
+													MYSQLND_SSL_PEER_DONT_VERIFY:
+													MYSQLND_SSL_PEER_DEFAULT);
 			DBG_INF("Switching to SSL");
 			if (!PACKET_WRITE(auth_packet, conn)) {
 				goto close_conn;
diff --git a/ext/mysqlnd/mysqlnd_enum_n_def.h b/ext/mysqlnd/mysqlnd_enum_n_def.h
index c1ede7e..9e29da2 100644
--- a/ext/mysqlnd/mysqlnd_enum_n_def.h
+++ b/ext/mysqlnd/mysqlnd_enum_n_def.h
@@ -101,6 +101,10 @@
 #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA	(1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */
 #define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS		(1UL << 22) /* Don't close the connection for a connection with expired password. */
 #define CLIENT_SESSION_TRACK					(1UL << 23) /* Extended OK */
+/*
+  This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification
+*/
+#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT	CLIENT_ODBC
 #define CLIENT_SSL_VERIFY_SERVER_CERT	(1UL << 30)
 #define CLIENT_REMEMBER_OPTIONS			(1UL << 31)
 
diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
index 7b164ac..3e8d099 100644
--- a/ext/mysqlnd/mysqlnd_net.c
+++ b/ext/mysqlnd/mysqlnd_net.c
@@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys
 				break;
 			}
 		case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
-			net->data->options.ssl_verify_peer = value? ((*(zend_bool *)value)? TRUE:FALSE): FALSE;
+		{
+			enum mysqlnd_ssl_peer val = *((enum mysqlnd_ssl_peer *)value);
+			switch (val) {
+				case MYSQLND_SSL_PEER_VERIFY:
+					DBG_INF("MYSQLND_SSL_PEER_VERIFY");
+					break;
+				case MYSQLND_SSL_PEER_DONT_VERIFY:
+					DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY");
+					break;
+				case MYSQLND_SSL_PEER_DEFAULT:
+					DBG_INF("MYSQLND_SSL_PEER_DEFAULT");
+					val = MYSQLND_SSL_PEER_DEFAULT;
+					break;
+				default:
+					DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION");
+					val = MYSQLND_SSL_PEER_DEFAULT;
+					break;
+			}
+			net->data->options.ssl_verify_peer = val;
 			break;
+		}
 		case MYSQL_OPT_READ_TIMEOUT:
 			net->data->options.timeout_read = *(unsigned int*) value;
 			break;
@@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 #ifdef MYSQLND_SSL_SUPPORTED
 	php_stream_context * context = php_stream_context_alloc(TSRMLS_C);
 	php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC);
+	zend_bool any_flag = FALSE;
 
 	DBG_ENTER("mysqlnd_net::enable_ssl");
 	if (!context) {
@@ -896,12 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		zval key_zval;
 		ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
 		php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
-	}
-	{
-		zval verify_peer_zval;
-		ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
-		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
-		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
+		any_flag = TRUE;
 	}
 	if (net->data->options.ssl_cert) {
 		zval cert_zval;
@@ -910,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
 		if (!net->data->options.ssl_key) {
 			php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval);
 		}
+		any_flag = TRUE;
 	}
 	if (net->data->options.ssl_ca) {
 		zval cafile_zval;
 		ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0);
 		php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval);
+		any_flag = TRUE;
 	}
 	if (net->data->options.ssl_capath) {
 		zval capath_zval;
 		ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
 		php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
+		any_flag = TRUE;
 	}
 	if (net->data->options.ssl_passphrase) {
 		zval passphrase_zval;
 		ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0);
 		php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval);
+		any_flag = TRUE;
 	}
 	if (net->data->options.ssl_cipher) {
 		zval cipher_zval;
 		ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0);
 		php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval);
+		any_flag = TRUE;
+	}
+	{
+		zval verify_peer_zval;
+		zend_bool verify;
+
+		if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) {
+			net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY;
+		}
+
+		verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE;
+
+		DBG_INF_FMT("VERIFY=%d", verify);
+		ZVAL_BOOL(&verify_peer_zval, verify);
+		php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
+		php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
 	}
+
 	php_stream_context_set(net_stream, context);
 	if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 ||
 	    php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0)
diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h
index 170c977..f5d0b47 100644
--- a/ext/mysqlnd/mysqlnd_structs.h
+++ b/ext/mysqlnd/mysqlnd_structs.h
@@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options
 	char		*ssl_capath;
 	char		*ssl_cipher;
 	char		*ssl_passphrase;
-	zend_bool	ssl_verify_peer;
+	enum mysqlnd_ssl_peer {
+		MYSQLND_SSL_PEER_DEFAULT = 0,
+		MYSQLND_SSL_PEER_VERIFY = 1,
+		MYSQLND_SSL_PEER_DONT_VERIFY = 2,
+
+#define MYSQLND_SSL_PEER_DEFAULT_ACTION  MYSQLND_SSL_PEER_VERIFY
+	} ssl_verify_peer;
 	uint64_t	flags;
 
 	char *		sha256_server_public_key;
@@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options
 } MYSQLND_NET_OPTIONS;
 
 
+
 typedef struct st_mysqlnd_connection MYSQLND;
 typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA;
 typedef struct st_mysqlnd_net	MYSQLND_NET;
Commit	Line	Data
a0d270c5 AM	1	commit 8292260515a904b4d515484145c78f33a06ae1ae
	2	Author: Andrey Hristov <andrey@php.net>
	3	Date: Wed Oct 21 15:10:24 2015 +0200
	4
	5	Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
	6
	7	diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
	8	index 78540f1..349d6db 100644
	9	--- a/ext/mysqli/tests/bug51647.phpt
	10	+++ b/ext/mysqli/tests/bug51647.phpt
	11	@@ -65,9 +65,43 @@ $link->close();
	12	} else {
	13	if (!$row = $res->fetch_assoc())
	14	printf("[006] [%d] %s\n", $link->errno, $link->error);
	15	+ if (!strlen($row["Value"]))
	16	+ printf("[007] Empty cipher. No encrytion!");
18d0d716 AM	17	}
18d0d716 AM	18
a0d270c5 AM	19	var_dump($row);
	20	+ $link->close();
	21	+
	22	+ if (!is_object($link = mysqli_init()))
	23	+ printf("[008] Cannot create link\n");
	24	+
	25	+ if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL)) {
	26	+ printf("[009] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
	27	+ }
	28	+
	29	+ if (!$res = $link->query('SHOW STATUS like "Ssl_cipher"')) {
	30	+ if (1064 == $link->errno) {
	31	+ /* ERROR 1064 (42000): You have an error in your SQL syntax; = sql strict mode */
	32	+ if ($res = $link->query("SHOW STATUS")) {
	33	+ while ($row = $res->fetch_assoc())
	34	+ if ($row['Variable_name'] == 'Ssl_cipher')
	35	+ break;
	36	+ } else {
	37	+ printf("[010] [%d] %s\n", $link->errno, $link->error);
	38	+ }
	39	+ } else {
	40	+ printf("[011] [%d] %s\n", $link->errno, $link->error);
18d0d716	41	+ }
a0d270c5 AM	42	+ } else {
	43	+ if (!$row = $res->fetch_assoc())
	44	+ printf("[012] [%d] %s\n", $link->errno, $link->error);
	45	+ if (!strlen($row["Value"]))
	46	+ printf("[013] Empty cipher. No encrytion!");
18d0d716 AM	47	+ }
18d0d716 AM	48	+
a0d270c5 AM	49	+ var_dump($row);
	50	+
	51	+ $link->close();
	52
	53	print "done!";
	54	?>
	55	@@ -78,4 +112,10 @@ array(2) {
	56	["Value"]=>
	57	string(%d) "%S"
	58	}
	59	+array(2) {
	60	+ ["Variable_name"]=>
	61	+ string(10) "Ssl_cipher"
	62	+ ["Value"]=>
	63	+ string(%d) "%S"
	64	+}
	65	done!
	66	diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
	67	index 69f4b7a..4cbe9de 100644
	68	--- a/ext/mysqlnd/mysqlnd_net.c
	69	+++ b/ext/mysqlnd/mysqlnd_net.c
	70	@@ -901,6 +901,12 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
	71	zval verify_peer_zval;
	72	ZVAL_TRUE(&verify_peer_zval);
	73	php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	74	+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	75	+ } else {
	76	+ zval verify_peer_zval;
	77	+ ZVAL_FALSE(&verify_peer_zval);
	78	+ php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	79	+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	80	}
	81	if (net->data->options.ssl_cert) {
	82	zval cert_zval;
	83	@@ -918,7 +924,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
	84	if (net->data->options.ssl_capath) {
	85	zval capath_zval;
	86	ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
	87	- php_stream_context_set_option(context, "ssl", "cafile", &capath_zval);
	88	+ php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
	89	}
	90	if (net->data->options.ssl_passphrase) {
	91	zval passphrase_zval;
	92	commit afd31489d0d9999f701467e99ef2b40794eed196
	93	Author: Andrey Hristov <andrey@php.net>
	94	Date: Thu Oct 22 11:48:53 2015 +0200
	95
	96	Improve fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
18d0d716	97
a0d270c5 AM	98	diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
	99	index e028d60..198ed83 100644
	100	--- a/ext/mysqli/mysqli.c
	101	+++ b/ext/mysqli/mysqli.c
	102	@@ -715,6 +715,9 @@ PHP_MINIT_FUNCTION(mysqli)
	103	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_IGNORE_SPACE", CLIENT_IGNORE_SPACE, CONST_CS \| CONST_PERSISTENT);
	104	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_NO_SCHEMA", CLIENT_NO_SCHEMA, CONST_CS \| CONST_PERSISTENT);
	105	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS \| CONST_PERSISTENT);
	106	+#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
	107	+ REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS \| CONST_PERSISTENT);
	108	+#endif
	109	#if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) \|\| defined(MYSQLI_USE_MYSQLND)
	110	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS \| CONST_PERSISTENT);
	111	REGISTER_LONG_CONSTANT("MYSQLI_OPT_CAN_HANDLE_EXPIRED_PASSWORDS", MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS \| CONST_PERSISTENT);
	112	diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
	113	index dd0f769..1cb31cc 100644
	114	--- a/ext/mysqli/tests/mysqli_constants.phpt
	115	+++ b/ext/mysqli/tests/mysqli_constants.phpt
	116	@@ -136,6 +136,9 @@ require_once('skipifconnectfailure.inc');
	117	$expected_constants['MYSQLI_SERVER_QUERY_WAS_SLOW'] = true;
	118	}
	119
	120	+ if ($version >= 50033 \|\| $IS_MYSQLND) {
	121	+ $expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
	122	+ }
	123
	124	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
	125	if ($version >= 50606 \|\| $IS_MYSQLND) {
	126	diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
	127	index 4cbe9de..7b164ac 100644
	128	--- a/ext/mysqlnd/mysqlnd_net.c
	129	+++ b/ext/mysqlnd/mysqlnd_net.c
	130	@@ -897,14 +897,9 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
	131	ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
	132	php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
	133	}
	134	- if (net->data->options.ssl_verify_peer) {
	135	- zval verify_peer_zval;
	136	- ZVAL_TRUE(&verify_peer_zval);
	137	- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	138	- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	139	- } else {
	140	+ {
	141	zval verify_peer_zval;
	142	- ZVAL_FALSE(&verify_peer_zval);
	143	+ ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
	144	php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
	145	php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
	146	}
c48f22c4 AM	147	commit 6d51b7b2e3468601acdaaf9041c9131b5aa47f98
	148	Author: Andrey Hristov <andrey@php.net>
	149	Date: Tue Oct 27 12:59:09 2015 +0100
	150
	151	Another Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation
	152	Added the possibility to explicitly state that the peer certificate should not be checked.
	153	Back to the default - checking the certificate.
	154	Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
	155	Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL \| MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)
	156
	157	If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
	158	then no verification takes place.
	159
	160	diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
	161	index 198ed83..5e40d19 100644
	162	--- a/ext/mysqli/mysqli.c
	163	+++ b/ext/mysqli/mysqli.c
	164	@@ -717,6 +717,9 @@ PHP_MINIT_FUNCTION(mysqli)
	165	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_FOUND_ROWS", CLIENT_FOUND_ROWS, CONST_CS \| CONST_PERSISTENT);
	166	#ifdef CLIENT_SSL_VERIFY_SERVER_CERT
	167	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT", CLIENT_SSL_VERIFY_SERVER_CERT, CONST_CS \| CONST_PERSISTENT);
	168	+#if defined(MYSQLI_USE_MYSQLND)
	169	+ REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT", CLIENT_SSL_DONT_VERIFY_SERVER_CERT, CONST_CS \| CONST_PERSISTENT);
	170	+#endif
	171	#endif
	172	#if (MYSQL_VERSION_ID >= 50611 && defined(CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)) \|\| defined(MYSQLI_USE_MYSQLND)
	173	REGISTER_LONG_CONSTANT("MYSQLI_CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS", CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS, CONST_CS \| CONST_PERSISTENT);
	174	diff --git a/ext/mysqli/tests/bug51647.phpt b/ext/mysqli/tests/bug51647.phpt
	175	index 349d6db..7385538 100644
	176	--- a/ext/mysqli/tests/bug51647.phpt
	177	+++ b/ext/mysqli/tests/bug51647.phpt
	178	@@ -41,11 +41,7 @@ $link->close();
	179	if (!is_object($link = mysqli_init()))
	180	printf("[001] Cannot create link\n");
	181
	182	- $path_to_pems = !$IS_MYSQLND? "ext/mysqli/tests/" : "";
	183	- if (!$link->ssl_set("{$path_to_pems}client-key.pem", "{$path_to_pems}client-cert.pem", "{$path_to_pems}cacert.pem","",""))
	184	- printf("[002] [%d] %s\n", $link->errno, $link->error);
	185	-
	186	- if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket)) {
	187	+ if (!my_mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, MYSQLI_CLIENT_SSL \| MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)) {
	188	printf("[003] Connect failed, [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
	189	}
	190
	191	@@ -67,9 +63,9 @@ $link->close();
	192	printf("[006] [%d] %s\n", $link->errno, $link->error);
	193	if (!strlen($row["Value"]))
	194	printf("[007] Empty cipher. No encrytion!");
	195	+ var_dump($row);
	196	}
	197
	198	- var_dump($row);
	199	$link->close();
	200
	201	if (!is_object($link = mysqli_init()))
	202	@@ -97,10 +93,9 @@ $link->close();
	203	printf("[012] [%d] %s\n", $link->errno, $link->error);
	204	if (!strlen($row["Value"]))
	205	printf("[013] Empty cipher. No encrytion!");
	206	+ var_dump($row);
	207	}
	208
	209	- var_dump($row);
	210	-
211	$link->close();
212
213	print "done!";
214	diff --git a/ext/mysqli/tests/bug55283.phpt b/ext/mysqli/tests/bug55283.phpt
215	index d03daae..a10c604 100644
216	--- a/ext/mysqli/tests/bug55283.phpt
217	+++ b/ext/mysqli/tests/bug55283.phpt
218	@@ -40,7 +40,7 @@ $link->close();
219	$db1 = new mysqli();
220
221
222	- $flags = MYSQLI_CLIENT_SSL;
223	+ $flags = MYSQLI_CLIENT_SSL \| MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
224
225	$link = mysqli_init();
226	mysqli_ssl_set($link, null, null, null, null, "RC4-MD5");
227	diff --git a/ext/mysqli/tests/connect.inc b/ext/mysqli/tests/connect.inc
228	index 67ce60a..606d1d3 100644
229	--- a/ext/mysqli/tests/connect.inc
230	+++ b/ext/mysqli/tests/connect.inc
231	@@ -9,7 +9,7 @@
232	$driver = new mysqli_driver;
233
234	$host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "127.0.0.1";
235	- $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3308;
236	+ $port = getenv("MYSQL_TEST_PORT") ? getenv("MYSQL_TEST_PORT") : 3306;
237	$user = getenv("MYSQL_TEST_USER") ? getenv("MYSQL_TEST_USER") : "root";
238	$passwd = getenv("MYSQL_TEST_PASSWD") ? getenv("MYSQL_TEST_PASSWD") : "";
239	$db = getenv("MYSQL_TEST_DB") ? getenv("MYSQL_TEST_DB") : "test";
240	@@ -87,9 +87,8 @@
241	function my_mysqli_connect($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
242	global $connect_flags;
243
244	- $flags = ($enable_env_flags) ? $connect_flags : false;
245	-
246	- if ($flags !== false) {
247	+ $flags = $enable_env_flags? $connect_flags:0;
248	+ if ($flags !== 0) {
249	$link = mysqli_init();
250	if (!mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags))
251	$link = false;
252	@@ -109,7 +108,7 @@
253	global $connect_flags;
254
255	if ($enable_env_flags)
256	- $flags & $connect_flags;
257	+ $flags = $flags \| $connect_flags;
258
259	return mysqli_real_connect($link, $host, $user, $passwd, $db, $port, $socket, $flags);
260	}
261	@@ -118,7 +117,7 @@
262	public function __construct($host, $user, $passwd, $db, $port, $socket, $enable_env_flags = true) {
263	global $connect_flags;
264
265	- $flags = ($enable_env_flags) ? $connect_flags : false;
266	+ $flags = ($enable_env_flags) ? $connect_flags : 0;
267
268	if ($flags !== false) {
269	parent::init();
270	diff --git a/ext/mysqli/tests/mysqli_constants.phpt b/ext/mysqli/tests/mysqli_constants.phpt
271	index 1cb31cc..cc5fa9f 100644
272	--- a/ext/mysqli/tests/mysqli_constants.phpt
273	+++ b/ext/mysqli/tests/mysqli_constants.phpt
274	@@ -139,6 +139,9 @@ require_once('skipifconnectfailure.inc');
275	if ($version >= 50033 \|\| $IS_MYSQLND) {
276	$expected_constants['MYSQLI_CLIENT_SSL_VERIFY_SERVER_CERT'] = true;
277	}
278	+ if ($IS_MYSQLND) {
279	+ $expected_constants['MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT'] = true;
280	+ }
281
282	/* First introduced in MySQL 6.0, backported to MySQL 5.5 */
283	if ($version >= 50606 \|\| $IS_MYSQLND) {
284	diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c
285	index f008986..94a3149 100644
286	--- a/ext/mysqlnd/mysqlnd.c
287	+++ b/ext/mysqlnd/mysqlnd.c
288	@@ -472,6 +472,7 @@ mysqlnd_switch_to_ssl_if_needed(
289	DBG_INF_FMT("CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA= %d", mysql_flags & CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA? 1:0);
290	DBG_INF_FMT("CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS= %d", mysql_flags & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS? 1:0);
291	DBG_INF_FMT("CLIENT_SESSION_TRACK= %d", mysql_flags & CLIENT_SESSION_TRACK? 1:0);
292	+ DBG_INF_FMT("CLIENT_SSL_DONT_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT? 1:0);
293	DBG_INF_FMT("CLIENT_SSL_VERIFY_SERVER_CERT= %d", mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? 1:0);
294	DBG_INF_FMT("CLIENT_REMEMBER_OPTIONS= %d", mysql_flags & CLIENT_REMEMBER_OPTIONS? 1:0);
295
296	@@ -495,7 +496,11 @@ mysqlnd_switch_to_ssl_if_needed(
297	if (server_has_ssl == FALSE) {
298	goto close_conn;
299	} else {
300	- zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE;
301	+ enum mysqlnd_ssl_peer verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT?
302	+ MYSQLND_SSL_PEER_VERIFY:
303	+ (mysql_flags & CLIENT_SSL_DONT_VERIFY_SERVER_CERT?
304	+ MYSQLND_SSL_PEER_DONT_VERIFY:
305	+ MYSQLND_SSL_PEER_DEFAULT);
306	DBG_INF("Switching to SSL");
307	if (!PACKET_WRITE(auth_packet, conn)) {
308	goto close_conn;
309	diff --git a/ext/mysqlnd/mysqlnd_enum_n_def.h b/ext/mysqlnd/mysqlnd_enum_n_def.h
310	index c1ede7e..9e29da2 100644
311	--- a/ext/mysqlnd/mysqlnd_enum_n_def.h
312	+++ b/ext/mysqlnd/mysqlnd_enum_n_def.h
313	@@ -101,6 +101,10 @@
314	#define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21) /* Enable authentication response packet to be larger than 255 bytes. */
315	#define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22) /* Don't close the connection for a connection with expired password. */
316	#define CLIENT_SESSION_TRACK (1UL << 23) /* Extended OK */
317	+/*
318	+ This is a mysqlnd extension. CLIENT_ODBC is not used anyway. We will reuse it for our case and translate it to not using SSL peer verification
319	+*/
320	+#define CLIENT_SSL_DONT_VERIFY_SERVER_CERT CLIENT_ODBC
321	#define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
322	#define CLIENT_REMEMBER_OPTIONS (1UL << 31)
323
324	diff --git a/ext/mysqlnd/mysqlnd_net.c b/ext/mysqlnd/mysqlnd_net.c
325	index 7b164ac..3e8d099 100644
326	--- a/ext/mysqlnd/mysqlnd_net.c
327	+++ b/ext/mysqlnd/mysqlnd_net.c
328	@@ -798,8 +798,27 @@ MYSQLND_METHOD(mysqlnd_net, set_client_option)(MYSQLND_NET * const net, enum mys
329	break;
330	}
331	case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
332	- net->data->options.ssl_verify_peer = value? (((zend_bool )value)? TRUE:FALSE): FALSE;
333	+ {
334	+ enum mysqlnd_ssl_peer val = ((enum mysqlnd_ssl_peer )value);
335	+ switch (val) {
336	+ case MYSQLND_SSL_PEER_VERIFY:
337	+ DBG_INF("MYSQLND_SSL_PEER_VERIFY");
338	+ break;
339	+ case MYSQLND_SSL_PEER_DONT_VERIFY:
340	+ DBG_INF("MYSQLND_SSL_PEER_DONT_VERIFY");
341	+ break;
342	+ case MYSQLND_SSL_PEER_DEFAULT:
343	+ DBG_INF("MYSQLND_SSL_PEER_DEFAULT");
344	+ val = MYSQLND_SSL_PEER_DEFAULT;
345	+ break;
346	+ default:
347	+ DBG_INF("default = MYSQLND_SSL_PEER_DEFAULT_ACTION");
348	+ val = MYSQLND_SSL_PEER_DEFAULT;
349	+ break;
350	+ }
351	+ net->data->options.ssl_verify_peer = val;
352	break;
353	+ }
354	case MYSQL_OPT_READ_TIMEOUT:
355	net->data->options.timeout_read = (unsigned int) value;
356	break;
357	@@ -886,6 +905,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
358	#ifdef MYSQLND_SSL_SUPPORTED
359	php_stream_context * context = php_stream_context_alloc(TSRMLS_C);
360	php_stream * net_stream = net->data->m.get_stream(net TSRMLS_CC);
361	+ zend_bool any_flag = FALSE;
362
363	DBG_ENTER("mysqlnd_net::enable_ssl");
364	if (!context) {
365	@@ -896,12 +916,7 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
366	zval key_zval;
367	ZVAL_STRING(&key_zval, net->data->options.ssl_key, 0);
368	php_stream_context_set_option(context, "ssl", "local_pk", &key_zval);
369	- }
370	- {
371	- zval verify_peer_zval;
372	- ZVAL_BOOL(&verify_peer_zval, net->data->options.ssl_verify_peer);
373	- php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
374	- php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
375	+ any_flag = TRUE;
376	}
377	if (net->data->options.ssl_cert) {
378	zval cert_zval;
379	@@ -910,27 +925,48 @@ MYSQLND_METHOD(mysqlnd_net, enable_ssl)(MYSQLND_NET * const net TSRMLS_DC)
380	if (!net->data->options.ssl_key) {
381	php_stream_context_set_option(context, "ssl", "local_pk", &cert_zval);
382	}
383	+ any_flag = TRUE;
384	}
385	if (net->data->options.ssl_ca) {
386	zval cafile_zval;
387	ZVAL_STRING(&cafile_zval, net->data->options.ssl_ca, 0);
388	php_stream_context_set_option(context, "ssl", "cafile", &cafile_zval);
389	+ any_flag = TRUE;
390	}
391	if (net->data->options.ssl_capath) {
392	zval capath_zval;
393	ZVAL_STRING(&capath_zval, net->data->options.ssl_capath, 0);
394	php_stream_context_set_option(context, "ssl", "capath", &capath_zval);
395	+ any_flag = TRUE;
396	}
397	if (net->data->options.ssl_passphrase) {
398	zval passphrase_zval;
399	ZVAL_STRING(&passphrase_zval, net->data->options.ssl_passphrase, 0);
400	php_stream_context_set_option(context, "ssl", "passphrase", &passphrase_zval);
401	+ any_flag = TRUE;
402	}
403	if (net->data->options.ssl_cipher) {
404	zval cipher_zval;
405	ZVAL_STRING(&cipher_zval, net->data->options.ssl_cipher, 0);
406	php_stream_context_set_option(context, "ssl", "ciphers", &cipher_zval);
407	+ any_flag = TRUE;
408	+ }
409	+ {
410	+ zval verify_peer_zval;
411	+ zend_bool verify;
412	+
413	+ if (net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_DEFAULT) {
414	+ net->data->options.ssl_verify_peer = any_flag? MYSQLND_SSL_PEER_DEFAULT_ACTION:MYSQLND_SSL_PEER_DONT_VERIFY;
415	+ }
416	+
417	+ verify = net->data->options.ssl_verify_peer == MYSQLND_SSL_PEER_VERIFY? TRUE:FALSE;
418	+
419	+ DBG_INF_FMT("VERIFY=%d", verify);
420	+ ZVAL_BOOL(&verify_peer_zval, verify);
421	+ php_stream_context_set_option(context, "ssl", "verify_peer", &verify_peer_zval);
422	+ php_stream_context_set_option(context, "ssl", "verify_peer_name", &verify_peer_zval);
423	}
424	+
425	php_stream_context_set(net_stream, context);
426	if (php_stream_xport_crypto_setup(net_stream, STREAM_CRYPTO_METHOD_TLS_CLIENT, NULL TSRMLS_CC) < 0 \|\|
427	php_stream_xport_crypto_enable(net_stream, 1 TSRMLS_CC) < 0)
428	diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h
429	index 170c977..f5d0b47 100644
430	--- a/ext/mysqlnd/mysqlnd_structs.h
431	+++ b/ext/mysqlnd/mysqlnd_structs.h
432	@@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options
433	char *ssl_capath;
434	char *ssl_cipher;
435	char *ssl_passphrase;
436	- zend_bool ssl_verify_peer;
437	+ enum mysqlnd_ssl_peer {
438	+ MYSQLND_SSL_PEER_DEFAULT = 0,
439	+ MYSQLND_SSL_PEER_VERIFY = 1,
440	+ MYSQLND_SSL_PEER_DONT_VERIFY = 2,
441	+
442	+#define MYSQLND_SSL_PEER_DEFAULT_ACTION MYSQLND_SSL_PEER_VERIFY
443	+ } ssl_verify_peer;
444	uint64_t flags;
445
446	char * sha256_server_public_key;
447	@@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options
448	} MYSQLND_NET_OPTIONS;
449
450
451	+
452	typedef struct st_mysqlnd_connection MYSQLND;
453	typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA;
454	typedef struct st_mysqlnd_net MYSQLND_NET;