NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commitbd38bbd

committed

[HttpClient] Add optioncrypto_method to set the minimum TLS version and make it default to TLSv1.2

1 parent6222f8e commitbd38bbdCopy full SHA for bd38bbd

File tree

10 files changed

+53

-4

lines changed

UPGRADE-6.3.md
src/Symfony
- Bundle/FrameworkBundle/DependencyInjection
  - Configuration.php
- Component/HttpClient
- Contracts
  - CHANGELOG.md
  - HttpClient
    - HttpClientInterface.php

10 files changed

+53

-4

lines changed

`‎UPGRADE-6.3.md‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,8 @@ FrameworkBundle`
`68`	`68`	`HttpClient`
`69`	`69`	`----------`
`70`	`70`
	`71`	+* The minimum TLS version now defaults to TLSv1.2; use the`crypto_method`
	`72`	`+ option if you need to connect to servers that don't support it`
`71`	`73`	* The default user agents have been renamed from`Symfony HttpClient/Amp`,`Symfony HttpClient/Curl`
`72`	`74`	and`Symfony HttpClient/Native` to`Symfony HttpClient (Amp)`,`Symfony HttpClient (Curl)`
`73`	`75`	and`Symfony HttpClient (Native)` respectively to comply with the RFC 9110 specification

`‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php‎`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1817,7 +1817,7 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e`
`1817`	`1817`	`->info('A network interface name, IP address, a host name or a UNIX socket to bind to.')`
`1818`	`1818`	`->end()`
`1819`	`1819`	`->booleanNode('verify_peer')`
`1820`		`- ->info('Indicates if the peer should be verified in anSSL/TLS context.')`
	`1820`	`+ ->info('Indicates if the peer should be verified in an TLS context.')`
`1821`	`1821`	`->end()`
`1822`	`1822`	`->booleanNode('verify_host')`
`1823`	`1823`	`->info('Indicates if the host should exist as a certificate common name.')`
`@@ -1838,7 +1838,7 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e`
`1838`	`1838`	`->info('The passphrase used to encrypt the "local_pk" file.')`
`1839`	`1839`	`->end()`
`1840`	`1840`	`->scalarNode('ciphers')`
`1841`		`- ->info('A list ofSSL/TLS ciphers separated by colons, commas or spaces (e.g. "RC3-SHA:TLS13-AES-128-GCM-SHA256"...)')`
	`1841`	`+ ->info('A list of TLS ciphers separated by colons, commas or spaces (e.g. "RC3-SHA:TLS13-AES-128-GCM-SHA256"...)')`
`1842`	`1842`	`->end()`
`1843`	`1843`	`->arrayNode('peer_fingerprint')`
`1844`	`1844`	`->info('Associative array: hashing algorithm => hash(es).')`
`@@ -1849,6 +1849,9 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e`
`1849`	`1849`	`->variableNode('md5')->end()`
`1850`	`1850`	`->end()`
`1851`	`1851`	`->end()`
	`1852`	`+ ->scalarNode('crypto_method')`
	`1853`	`+ ->info('The minimum version of TLS to accept; must be one of STREAM_CRYPTO_METHOD_TLSv*_CLIENT constants.')`
	`1854`	`+ ->end()`
`1852`	`1855`	`->arrayNode('extra')`
`1853`	`1856`	`->info('Extra options for specific HTTP client')`
`1854`	`1857`	`->normalizeKeys(false)`
`@@ -1965,7 +1968,7 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e`
`1965`	`1968`	`->info('A network interface name, IP address, a host name or a UNIX socket to bind to.')`
`1966`	`1969`	`->end()`
`1967`	`1970`	`->booleanNode('verify_peer')`
`1968`		`- ->info('Indicates if the peer should be verified inan SSL/TLS context.')`
	`1971`	`+ ->info('Indicates if the peer should be verified inaTLS context.')`
`1969`	`1972`	`->end()`
`1970`	`1973`	`->booleanNode('verify_host')`
`1971`	`1974`	`->info('Indicates if the host should exist as a certificate common name.')`
`@@ -1986,7 +1989,7 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e`
`1986`	`1989`	`->info('The passphrase used to encrypt the "local_pk" file.')`
`1987`	`1990`	`->end()`
`1988`	`1991`	`->scalarNode('ciphers')`
`1989`		`- ->info('A list ofSSL/TLS ciphers separated by colons, commas or spaces (e.g. "RC3-SHA:TLS13-AES-128-GCM-SHA256"...)')`
	`1992`	`+ ->info('A list of TLS ciphers separated by colons, commas or spaces (e.g. "RC3-SHA:TLS13-AES-128-GCM-SHA256"...)')`
`1990`	`1993`	`->end()`
`1991`	`1994`	`->arrayNode('peer_fingerprint')`
`1992`	`1995`	`->info('Associative array: hashing algorithm => hash(es).')`

`‎src/Symfony/Component/HttpClient/AmpHttpClient.php‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,10 @@ final class AmpHttpClient implements HttpClientInterface, LoggerAwareInterface,`
`47`	`47`	`use HttpClientTrait;`
`48`	`48`	`use LoggerAwareTrait;`
`49`	`49`
	`50`	`+publicconstOPTIONS_DEFAULTS = HttpClientInterface::OPTIONS_DEFAULTS + [`
	`51`	`+'crypto_method' => \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,`
	`52`	`+ ];`
	`53`	`+`
`50`	`54`	`privatearray$defaultOptions =self::OPTIONS_DEFAULTS;`
`51`	`55`	`privatestaticarray$emptyDefaults =self::OPTIONS_DEFAULTS;`
`52`	`56`	`privateAmpClientState$multi;`

`‎src/Symfony/Component/HttpClient/CHANGELOG.md‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ CHANGELOG`
`4`	`4`	`6.3`
`5`	`5`	`---`
`6`	`6`
	`7`	+* Add option`crypto_method` to set the minimum TLS version and make it default to TLSv1.2
`7`	`8`	* Add`UriTemplateHttpClient` to use URI templates as specified in the RFC 6570
`8`	`9`	* Add`ServerSentEvent::getArrayData()` to get the Server-Sent Event's data decoded as an array when it's a JSON payload
`9`	`10`	* Allow array of urls as`base_uri` option value in`RetryableHttpClient` to retry on a new url each time

`‎src/Symfony/Component/HttpClient/CurlHttpClient.php‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,10 @@ final class CurlHttpClient implements HttpClientInterface, LoggerAwareInterface,`
`36`	`36`	`{`
`37`	`37`	`use HttpClientTrait;`
`38`	`38`
	`39`	`+publicconstOPTIONS_DEFAULTS = HttpClientInterface::OPTIONS_DEFAULTS + [`
	`40`	`+'crypto_method' => \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,`
	`41`	`+ ];`
	`42`	`+`
`39`	`43`	`privatearray$defaultOptions =self::OPTIONS_DEFAULTS + [`
`40`	`44`	`'auth_ntlm' =>null,// array\|string - an array containing the username as first value, and optionally the`
`41`	`45`	`// password as the second one; or string like username:password - enabling NTLM auth`
`@@ -116,6 +120,12 @@ public function request(string $method, string $url, array $options = []): Respo`
`116`	`120`	`\CURLOPT_SSLKEY =>$options['local_pk'],`
`117`	`121`	`\CURLOPT_KEYPASSWD =>$options['passphrase'],`
`118`	`122`	`\CURLOPT_CERTINFO =>$options['capture_peer_cert_chain'],`
	`123`	`+ \CURLOPT_SSLVERSION =>match ($options['crypto_method']) {`
	`124`	`+ \STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT => \CURL_SSLVERSION_TLSv1_3,`
	`125`	`+ \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT => \CURL_SSLVERSION_TLSv1_2,`
	`126`	`+ \STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT => \CURL_SSLVERSION_TLSv1_1,`
	`127`	`+ \STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT => \CURL_SSLVERSION_TLSv1_0,`
	`128`	`+ },`
`119`	`129`	`];`
`120`	`130`
`121`	`131`	`if (1.0 === (float)$options['http_version']) {`

`‎src/Symfony/Component/HttpClient/HttpClientTrait.php‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`useSymfony\Component\HttpClient\Response\StreamableInterface;`
`17`	`17`	`useSymfony\Component\HttpClient\Response\StreamWrapper;`
`18`	`18`	`useSymfony\Component\Mime\MimeTypes;`
	`19`	`+useSymfony\Contracts\HttpClient\HttpClientInterface;`
`19`	`20`
`20`	`21`	`/**`
`21`	`22`	`* Provides the common logic from writing HttpClientInterface implementations.`
`@@ -116,6 +117,15 @@ private static function prepareRequest(?string $method, ?string $url, array $opt`
`116`	`117`	`$options['peer_fingerprint'] =self::normalizePeerFingerprint($options['peer_fingerprint']);`
`117`	`118`	`}`
`118`	`119`
	`120`	`+if (isset($options['crypto_method']) && !\in_array($options['crypto_method'], [`
	`121`	`+ \STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT,`
	`122`	`+ \STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,`
	`123`	`+ \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,`
	`124`	`+ \STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT,`
	`125`	`+ ],true)) {`
	`126`	`+thrownewInvalidArgumentException('Option "crypto_method" must be one of "STREAM_CRYPTO_METHOD_TLSv1_*_CLIENT".');`
	`127`	`+ }`
	`128`	`+`
`119`	`129`	`// Validate on_progress`
`120`	`130`	`if (isset($options['on_progress']) && !\is_callable($onProgress =$options['on_progress'])) {`
`121`	`131`	`thrownewInvalidArgumentException(sprintf('Option "on_progress" must be callable, "%s" given.',get_debug_type($onProgress)));`

`‎src/Symfony/Component/HttpClient/Internal/AmpClientState.php‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,7 @@ private function getClient(array $options): array`
`126`	`126`	`'ciphers' =>$options['ciphers'],`
`127`	`127`	`'capture_peer_cert_chain' =>$options['capture_peer_cert_chain'] \|\|$options['peer_fingerprint'],`
`128`	`128`	`'proxy' =>$options['proxy'],`
	`129`	`+'crypto_method' =>$options['crypto_method'],`
`129`	`130`	`];`
`130`	`131`
`131`	`132`	`$key =hash('xxh128',serialize($options));`
`@@ -141,6 +142,7 @@ private function getClient(array $options): array`
`141`	`142`	`$options['local_cert'] &&$context =$context->withCertificate(newCertificate($options['local_cert'],$options['local_pk']));`
`142`	`143`	`$options['ciphers'] &&$context =$context->withCiphers($options['ciphers']);`
`143`	`144`	`$options['capture_peer_cert_chain'] &&$context =$context->withPeerCapturing();`
	`145`	`+$options['crypto_method'] &&$context =$context->withMinimumVersion($options['crypto_method']);`
`144`	`146`
`145`	`147`	`$connector =$handleConnector =newclass()implements Connector {`
`146`	`148`	`public$connector;`

`‎src/Symfony/Component/HttpClient/NativeHttpClient.php‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,10 @@ final class NativeHttpClient implements HttpClientInterface, LoggerAwareInterfac`
`36`	`36`	`use HttpClientTrait;`
`37`	`37`	`use LoggerAwareTrait;`
`38`	`38`
	`39`	`+publicconstOPTIONS_DEFAULTS = HttpClientInterface::OPTIONS_DEFAULTS + [`
	`40`	`+'crypto_method' => \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,`
	`41`	`+ ];`
	`42`	`+`
`39`	`43`	`privatearray$defaultOptions =self::OPTIONS_DEFAULTS;`
`40`	`44`	`privatestaticarray$emptyDefaults =self::OPTIONS_DEFAULTS;`
`41`	`45`
`@@ -198,6 +202,12 @@ public function request(string $method, string $url, array $options = []): Respo`
`198`	`202`	`$options['timeout'] =min($options['max_duration'],$options['timeout']);`
`199`	`203`	`}`
`200`	`204`
	`205`	`+switch ($cryptoMethod =$options['crypto_method']) {`
	`206`	`+case \STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT:$cryptoMethod \|= \STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;`
	`207`	`+case \STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT:$cryptoMethod \|= \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;`
	`208`	`+case \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT:$cryptoMethod \|= \STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT;`
	`209`	`+ }`
	`210`	`+`
`201`	`211`	`$context = [`
`202`	`212`	`'http' => [`
`203`	`213`	`'protocol_version' =>min($options['http_version'] ?:'1.1','1.1'),`
`@@ -224,6 +234,7 @@ public function request(string $method, string $url, array $options = []): Respo`
`224`	`234`	`'allow_self_signed' => (bool)$options['peer_fingerprint'],`
`225`	`235`	`'SNI_enabled' =>true,`
`226`	`236`	`'disable_compression' =>true,`
	`237`	`+'crypto_method' =>$cryptoMethod,`
`227`	`238`	`],staticfn ($v) =>null !==$v),`
`228`	`239`	`'socket' => [`
`229`	`240`	`'bindto' =>$options['bindto'],`

`‎src/Symfony/Contracts/CHANGELOG.md‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,11 @@`
`1`	`1`	`CHANGELOG`
`2`	`2`	`=========`
`3`	`3`
	`4`	`+3.3`
	`5`	`+---`
	`6`	`+`
	`7`	+* Add option`crypto_method` to`HttpClientInterface` to define the minimum TLS version to accept
	`8`	`+`
`4`	`9`	`3.2`
`5`	`10`	`---`
`6`	`11`

`‎src/Symfony/Contracts/HttpClient/HttpClientInterface.php‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ interface HttpClientInterface`
`66`	`66`	`'ciphers' =>null,`
`67`	`67`	`'peer_fingerprint' =>null,`
`68`	`68`	`'capture_peer_cert_chain' =>false,`
	`69`	`+'crypto_method' => \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,// STREAM_CRYPTO_METHOD_TLSv*_CLIENT - minimum TLS version`
`69`	`70`	`'extra' => [],// array - additional options that can be ignored if unsupported, unlike regular options`
`70`	`71`	`];`
`71`	`72`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitbd38bbd

File tree

10 files changed

10 files changed

`‎UPGRADE-6.3.md‎`

`‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php‎`

`‎src/Symfony/Component/HttpClient/AmpHttpClient.php‎`

`‎src/Symfony/Component/HttpClient/CHANGELOG.md‎`

`‎src/Symfony/Component/HttpClient/CurlHttpClient.php‎`

`‎src/Symfony/Component/HttpClient/HttpClientTrait.php‎`

`‎src/Symfony/Component/HttpClient/Internal/AmpClientState.php‎`

`‎src/Symfony/Component/HttpClient/NativeHttpClient.php‎`

`‎src/Symfony/Contracts/CHANGELOG.md‎`

`‎src/Symfony/Contracts/HttpClient/HttpClientInterface.php‎`

0 commit comments