ext/curl: Add CURLOPT_SSL_SIGNATURE_ALGORITHMS option
#18692
Conversation
ext/curl/curl.stub.php
Outdated
| * @var int | ||
| * @cvalue CURLOPT_SSL_SIGNATURE_ALGORITHMS | ||
| */ | ||
| const CURLOPT_SSL_SIGNATURE_ALGORITHMS = UNKNOWN; |
There was a problem hiding this comment.
NIT: Might be nicer to add next to other SSL constant - probs somewhere around CURLE_SSL_PEER_CERTIFICATE
There was a problem hiding this comment.
Makes sense, thank you. I moved this next to CURLOPT_SSL_EC_CURVES, I think it fits pretty well now.
| $curl_version = curl_version(); | ||
| if ($curl_version['version_number'] < 0x080e00) die("skip: test works only with curl >= 8.14.0"); | ||
|
|
||
| include 'skipif-nocaddy.inc'; |
There was a problem hiding this comment.
hmm, this might change things in terms of setting up caddy for windows... I guess it's better than openssl s_server but even better solution would be to use openssl client server test like we use for some http stream tests: for example https://github.com/php/php-src/blob/master/ext/standard/tests/http/ghsa-hgf5-96fm-v528-001.phpt . Then it would work on windows too.
There was a problem hiding this comment.
I remember you also commented on #16093 that the whole Caddy server setup on Windows isn't worth it.
Right now, even on Linux builds, we barely test any of the recent Curl stuff because on GitHub Actions, the Curl version is Curl 8.5 or 8.6 while Windows has 8.12.0 or so at the moment. So having these tests run on Windows will be really nice. I'm not really that familiar with OpenSSL s_server/client features, so I could use any help, or take some time to test things around. I have a Windows machine to test things, I'll try what I can :)
That said, I wonder if we really need these tests. We can test if setting a sig-alg works, setting null clears it, check if all the constants exist, etc. But beyond that, we are merely testing Curl's functionality itself. Curl surely has tests for all the variations we can think about, including various TLS backends, so perhaps we can simplify the test to see if the constants exist and if curl_setopt works. We skip the curl_exec part because once we set the options, it's Curl's job to do the actual signature negotiations. What do you think?
| var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, 'invalid-value')); | ||
| var_dump(curl_exec($ch)); | ||
|
|
||
| var_dump(curl_setopt($ch, CURLOPT_SSL_SIGNATURE_ALGORITHMS, null)); |
There was a problem hiding this comment.
it might be nice to also test some working signature algorithm...
There was a problem hiding this comment.
You are right @bukka it could use a positive test path. Thank you.
I added ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ed25519 that should cover all modern cipher-suits and should be future-proof enough.
Ayesh
force-pushed
the
curl/CURLOPT_SSL_SIGNATURE_ALGORITHMS
branch
3 times, most recently
from
d4404c6 to
70596d6
Compare
Adds support for `CURLOPT_SSL_SIGNATURE_ALGORITHMS`[^1], supported since Curl version 8.14.0. [^1]: https://curl.se/libcurl/c/CURLOPT_SSL_SIGNATURE_ALGORITHMS.html
Ayesh
force-pushed
the
curl/CURLOPT_SSL_SIGNATURE_ALGORITHMS
branch
from
70596d6 to
ce0ddf5
Compare
Adds support for
CURLOPT_SSL_SIGNATURE_ALGORITHMS1, supported since Curl version 8.14.0.Footnotes
https://curl.se/libcurl/c/CURLOPT_SSL_SIGNATURE_ALGORITHMS.html ↩