TLS: Only use the server_name extension during server hello (#62)

adamziel · web-flow · commit 0f6639981416 · 2025-02-27T10:02:59.000+01:00
PHP 8.4 drops support for many TLS extensions advertised by our TLS
proxy. Only the server_name extension seems to be supported (and
required).

This PR drops the other extensions. Turns out TLS proxy still works
without them all the way down to PHP 7.2.

 ## Testing instructions

Confirm the E2E tests still pass, especially the ones related to
networking and testing the plugins directory in wp-admin.
diff --git a/packages/php-wasm/web/src/lib/tls/1_2/connection.ts b/packages/php-wasm/web/src/lib/tls/1_2/connection.ts
@@ -1,8 +1,6 @@
 import { ServerNameExtension } from '../extensions/0_server_name';
 import { CipherSuitesNames } from '../cipher-suites';
 import { CipherSuites } from '../cipher-suites';
-import { SupportedGroupsExtension } from '../extensions/10_supported_groups';
-import { ECPointFormatsExtension } from '../extensions/11_ec_point_formats';
 import { parseClientHelloExtensions } from '../extensions/parse-extensions';
 import {
 	ArrayBufferReader,
@@ -14,7 +12,6 @@ import {
 import {
 	HashAlgorithms,
 	SignatureAlgorithms,
-	SignatureAlgorithmsExtension,
 } from '../extensions/13_signature_algorithms';
 import { tls12Prf } from './prf';
 import {
@@ -1171,19 +1168,6 @@ class MessageEncoder {
 						 * Source: dfile:///Users/cloudnik/Library/Application%20Support/Dash/User%20Contributed/RFCs/RFCs.docset/Contents/Resources/Documents/rfc6066.html#section-3
 						 */
 						return ServerNameExtension.encodeForClient();
-					case 'supported_groups':
-						return SupportedGroupsExtension.encodeForClient(
-							'secp256r1'
-						);
-					case 'ec_point_formats':
-						return ECPointFormatsExtension.encodeForClient(
-							'uncompressed'
-						);
-					case 'signature_algorithms':
-						return SignatureAlgorithmsExtension.encodeforClient(
-							'sha256',
-							'rsa'
-						);
 				}
 				return undefined;
 			})
diff --git a/packages/php-wasm/web/src/lib/tls/extensions/13_signature_algorithms.ts b/packages/php-wasm/web/src/lib/tls/extensions/13_signature_algorithms.ts
@@ -76,7 +76,8 @@ export class SignatureAlgorithmsExtension {
 			const hash = reader.readUint8();
 			const algorithm = reader.readUint8();
 			if (!SignatureAlgorithmsNames[algorithm]) {
-				logger.warn(`Unknown signature algorithm: ${algorithm}`);
+				// Unknown signature algorithm. It's fine, the client just supports
+				// more algorithms than the server.
 				continue;
 			}
 			if (!HashAlgorithmsNames[hash]) {
