6 files changed, 71 insertions, 6 deletions

diff --git a/ext/openssl/tests/bug46127.phpt b/ext/openssl/tests/bug46127.phpt
index a3bfd3a012..1de4eacd01 100644
--- a/ext/openssl/tests/bug46127.phpt
+++ b/ext/openssl/tests/bug46127.phpt
@@ -45,7 +45,10 @@ if ($pid == 0) { // child
 
 // client or failed
 sleep(1);
-$sock = fsockopen('ssl://127.0.0.1', $port, $errno, $errstr);
+$ctx = stream_context_create(['ssl' => [
+    'verify_peer' => false
+]]);
+$sock = stream_socket_client("ssl://127.0.0.1:{$port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx);
 if (!$sock) exit;
 
 echo fgets($sock);
diff --git a/ext/openssl/tests/bug48182.phpt b/ext/openssl/tests/bug48182.phpt
index 146c4c9226..b78ce57074 100644
--- a/ext/openssl/tests/bug48182.phpt
+++ b/ext/openssl/tests/bug48182.phpt
@@ -13,8 +13,7 @@ function ssl_server($port) {
 	$host = 'ssl://127.0.0.1'.':'.$port;
 	$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
 	$data = "Sending bug48182\n";
-
-	$pem = dirname(__FILE__) . '/bug46127.pem';
+	$pem = dirname(__FILE__) . '/bug54992.pem';
 	$ssl_params = array( 'verify_peer' => false, 'allow_self_signed' => true, 'local_cert' => $pem);
 	$ssl = array('ssl' => $ssl_params);
 
@@ -47,8 +46,11 @@ function ssl_async_client($port) {
 	$host = 'ssl://127.0.0.1'.':'.$port;
 	$flags = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT;
 	$data = "Sending data over to SSL server in async mode with contents like Hello World\n";
-
-	$socket = stream_socket_client($host, $errno, $errstr, 10, $flags);
+	$context = stream_context_create(array('ssl' => array(
+		'cafile' => dirname(__FILE__) . '/bug54992-ca.pem',
+		'CN_match' => 'bug54992.local'
+	)));
+	$socket = stream_socket_client($host, $errno, $errstr, 10, $flags, $context);
 	stream_set_blocking($socket, 0);
 
 	while ($socket && $data) {
diff --git a/ext/openssl/tests/openssl_peer_fingerprint.phpt b/ext/openssl/tests/openssl_peer_fingerprint.phpt
index 2960dffae5..2e4c192c03 100644
--- a/ext/openssl/tests/openssl_peer_fingerprint.phpt
+++ b/ext/openssl/tests/openssl_peer_fingerprint.phpt
@@ -24,6 +24,7 @@ if ($pid == -1) {
 				'verify_peer'		=> true,
 				'cafile'		=> __DIR__ . '/bug54992-ca.pem',
 				'capture_peer_cert'	=> true,
+				'CN_match'		=> 'bug54992.local',
 				'peer_fingerprint'	=> '81cafc260aa8d82956ebc6212a362ece',
 			)
 		)
@@ -38,6 +39,7 @@ if ($pid == -1) {
 				'verify_peer'		=> true,
 				'cafile'		=> __DIR__ . '/bug54992-ca.pem',
 				'capture_peer_cert'	=> true,
+				'CN_match'		=> 'bug54992.local',
 				'peer_fingerprint'	=> array(
 					'sha256' => '78ea579f2c3b439359dec5dac9d445108772927427c4780037e87df3799a0aa0',
 				),
@@ -59,4 +61,4 @@ Warning: stream_socket_client(): Failed to enable crypto in %s on line %d
 
 Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d
 bool(false)
-resource(9) of type (stream)
+resource(%d) of type (stream)
diff --git a/ext/openssl/tests/peer_verification.phpt b/ext/openssl/tests/peer_verification.phpt
new file mode 100644
index 0000000000..7c3347fd65
--- /dev/null
+++ b/ext/openssl/tests/peer_verification.phpt
@@ -0,0 +1,56 @@
+--TEST--
+Peer verification enabled for client streams
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(['ssl' => [
+	'local_cert' => __DIR__ . '/bug54992.pem',
+	'allow_self_signed' => true
+]]);
+$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+	die('could not fork');
+} else if ($pid) {
+	// Expected to fail -- no CA File present
+	var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT));
+	
+	// Expected to fail -- no CA File present
+	$ctx = stream_context_create(['ssl' => ['verify_peer' => true]]);
+	var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+	
+	// Should succeed with peer verification disabled in context
+	$ctx = stream_context_create(['ssl' => ['verify_peer' => false]]);
+	var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+	// Should succeed with CA file specified in context
+	$ctx = stream_context_create(['ssl' => [
+		'cafile' => __DIR__ . '/bug54992-ca.pem',
+		'CN_match' => 'bug54992.local',
+	]]);
+	var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+	// Should succeed with globally available CA file specified via php.ini
+	$cafile = __DIR__ . '/bug54992-ca.pem';
+	ini_set('openssl.cafile', $cafile);
+	var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+} else {	
+	@pcntl_wait($status);
+	@stream_socket_accept($server, 3);
+	@stream_socket_accept($server, 3);
+	@stream_socket_accept($server, 3);
+	@stream_socket_accept($server, 3);
+	@stream_socket_accept($server, 3);
+}
+--EXPECTF--
+bool(false)
+bool(false)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
diff --git a/ext/openssl/tests/sni_001.phpt b/ext/openssl/tests/sni_001.phpt
index 3d7798cf85..2f76a9f918 100644
--- a/ext/openssl/tests/sni_001.phpt
+++ b/ext/openssl/tests/sni_001.phpt
@@ -24,6 +24,7 @@ function context() {
 	return stream_context_create(array(
 		'ssl' => array(
 			'capture_peer_cert' => true,
+			'verify_peer' => false
 		),
 	));
 }
diff --git a/ext/openssl/tests/streams_crypto_method.phpt b/ext/openssl/tests/streams_crypto_method.phpt
index 97a6e9ee8b..981f56b399 100644
--- a/ext/openssl/tests/streams_crypto_method.phpt
+++ b/ext/openssl/tests/streams_crypto_method.phpt
@@ -10,6 +10,7 @@ if (!extension_loaded('pcntl')) die('skip, pcntl required');
 function client($port, $method) {
 	$ctx = stream_context_create();
 	stream_context_set_option($ctx, 'ssl', 'crypto_method', $method);
+	stream_context_set_option($ctx, 'ssl', 'verify_peer', false);
 
 	$fp = @fopen('https://127.0.0.1:' . $port . '/', 'r', false, $ctx);
 	if ($fp) {