Add support for stream context options with connectors

DaveRandom · DaveRandom · commit eafa57468205 · 2014-09-11T10:22:50.000+01:00
diff --git a/src/Connector.php b/src/Connector.php
@@ -12,32 +12,69 @@ class Connector implements ConnectorInterface
 {
     private $loop;
     private $resolver;
+    private $peerNameCtxKey;
 
     public function __construct(LoopInterface $loop, Resolver $resolver)
     {
         $this->loop = $loop;
         $this->resolver = $resolver;
+        $this->peerNameCtxKey = PHP_VERSION_ID < 50600 ? 'CN_match' : 'peer_name';
     }
 
-    public function create($host, $port)
+    /**
+     * We need to set various context options related to the expected SSL certificate name here even though we
+     * don't know whether we are creating an SSL connection or not, for compatibility with PHP<5.6.
+     *
+     * We don't specifically enable verify_peer or verify_peer_name here because these may require additional
+     * options such as specifying a cafile etc, which means the user will need to do this manually.
+     *
+     * @param array  $contextOpts
+     * @param string $host
+     * @return array
+     */
+    private function normalizeSSLContextOptions(array $contextOpts, $host)
+    {
+        // Allow the user to override the certificate peer name with the context option, unless it's a wildcard
+        if (isset($contextOpts['ssl']['peer_name']) && false === strpos($contextOpts['ssl']['peer_name'], '*')) {
+            $host = $contextOpts['ssl']['peer_name'];
+        } else if ($contextOpts['ssl']['CN_match'] && false === strpos($contextOpts['ssl']['CN_match'], '*')) {
+            $host = $contextOpts['ssl']['CN_match'];
+        }
+
+        // Make sure that SNI requests the correct certificate name
+        if (!isset($contextOpts['ssl']['SNI_enabled'])
+            || $contextOpts['ssl']['SNI_enabled'] && !isset($contextOpts['ssl']['SNI_server_name'])) {
+            $contextOpts['ssl']['SNI_enabled'] = true;
+            $contextOpts['ssl']['SNI_server_name'] = $host;
+        }
+
+        // Make sure PHP verifies the certificate name against the requested name
+        if (!isset($contextOpts['ssl'][$this->peerNameCtxKey])) {
+            $contextOpts['ssl'][$this->peerNameCtxKey] = $host;
+        }
+
+        // Disable TLS compression by default
+        if (!isset($contextOpts['ssl']['disable_compression'])) {
+            $contextOpts['ssl']['disable_compression'] = true;
+        }
+
+        return $contextOpts;
+    }
+
+    public function create($host, $port, array $contextOpts = [])
     {
         return $this
             ->resolveHostname($host)
-            ->then(function ($address) use ($port, $host) {
-                return $this->createSocketForAddress($address, $port, $host);
+            ->then(function ($address) use ($port, $host, $contextOpts) {
+                $contextOpts = $this->normalizeSSLContextOptions($contextOpts, $host);
+                return $this->createSocketForAddress($address, $port, $contextOpts);
             });
     }
 
-    public function createSocketForAddress($address, $port, $hostName = null)
+    public function createSocketForAddress($address, $port, array $contextOpts = [])
     {
         $url = $this->getSocketUrl($address, $port);
 
-        $contextOpts = array();
-        if ($hostName !== null) {
-            $contextOpts['ssl']['SNI_enabled'] = true;
-            $contextOpts['ssl']['SNI_server_name'] = $hostName;
-        }
-
         $flags = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT;
         $context = stream_context_create($contextOpts);
         $socket = stream_socket_client($url, $errno, $errstr, 0, $flags, $context);
diff --git a/src/ConnectorInterface.php b/src/ConnectorInterface.php
@@ -4,5 +4,5 @@
 
 interface ConnectorInterface
 {
-    public function create($host, $port);
+    public function create($host, $port, array $contextOpts = []);
 }
diff --git a/src/SecureConnector.php b/src/SecureConnector.php
@@ -16,9 +16,9 @@ public function __construct(ConnectorInterface $connector, LoopInterface $loop)
         $this->streamEncryption = new StreamEncryption($loop);
     }
 
-    public function create($host, $port)
+    public function create($host, $port, array $contextOpts = [])
     {
-        return $this->connector->create($host, $port)->then(function (Stream $stream) {
+        return $this->connector->create($host, $port, $contextOpts)->then(function (Stream $stream) {
             // (unencrypted) connection succeeded => try to enable encryption
             return $this->streamEncryption->enable($stream)->then(null, function ($error) use ($stream) {
                 // establishing encryption failed => close invalid connection and return error

Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,5 @@`
`4`	`4`
`5`	`5`	`interface ConnectorInterface`
`6`	`6`	`{`
`7`		`- public function create($host, $port);`
	`7`	`+ public function create($host, $port, array $contextOpts = []);`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,9 +16,9 @@ public function __construct(ConnectorInterface $connector, LoopInterface $loop)`
`16`	`16`	`$this->streamEncryption = new StreamEncryption($loop);`
`17`	`17`	`}`
`18`	`18`
`19`		`- public function create($host, $port)`
	`19`	`+ public function create($host, $port, array $contextOpts = [])`
`20`	`20`	`{`
`21`		`- return $this->connector->create($host, $port)->then(function (Stream $stream) {`
	`21`	`+ return $this->connector->create($host, $port, $contextOpts)->then(function (Stream $stream) {`
`22`	`22`	`// (unencrypted) connection succeeded => try to enable encryption`
`23`	`23`	`return $this->streamEncryption->enable($stream)->then(null, function ($error) use ($stream) {`
`24`	`24`	`// establishing encryption failed => close invalid connection and return error`