Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15570

Extension version check is restricted to TLS 1.0

    Details

    • Type: Security Issue
    • Status: Unverified Fix (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.2
    • Fix Version/s: 3.3.0-a1, 3.2.3-RC1
    • Component/s: None
    • Labels:
      None

      Description

      The extension version check uses the file_downloader class where fsockopen() is used with a tls:// transport: https://github.com/phpbb/phpbb/blob/release-3.2.2/phpBB/phpbb/file_downloader.php#L45

      It was introduced in this PR: https://github.com/phpbb/phpbb/pull/3929

      Historically, the behavior of tls:// was to only allow TLS 1.0 connections. This was changed in PHP 5.6.0 to allow TLS 1.0, 1.1 or 1.2: https://github.com/php/php-src/commit/3a9829af2062527fb4e5cb11eb4ac3e045d0b370#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R176

      In PHP 5.6.7, this change was reverted for backward compatibility reasons: https://github.com/php/php-src/commit/10bc5fd4c4c8e1dd57bd911b086e9872a56300a0#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R178

      In above revert commit, you can also see that the ssl:// transport allows establishing TLS 1.0, 1.1 and 1.2 connection (and no SSLvX connections).

      In PHP 7.2, the behavior was changed again. tls:// and ssl:// now do the same and allow TLS 1.0, 1.1 and 1.{{2 }}connections: https://github.com/php/php-src/commit/bec91e1117fd3527897cde2f8a26eab9a20fa3dc#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R176

      For this reason I think the file_downloader should be using ssl://. However, a side effect of that change would be that users with PHP version ∈ [5.6.0, 5.6.6] can only establish SSLv2 and SSLSv3 connections, and no TLS at all.

      Pertinent PHP bug reports:
      https://bugs.php.net/bug.php?id=69195
      https://bugs.php.net/bug.php?id=69345

        Attachments

          Activity

            People

            • Assignee:
              Marc Marc
              Reporter:
              kasimi kasimi
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: