[HttpClient] Add option crypto_method to set the minimum SSL version and make it default to TLSv1.2

nicolas-grekas · nicolas-grekas · commit fa841e4d86e6 · 2023-05-09T15:46:28.000+02:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -1849,6 +1849,9 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e
                                         ->variableNode('md5')->end()
                                     ->end()
                                 ->end()
+                                ->scalarNode('crypto_method')
+                                    ->info('The minimum version of SSL to accept; must be one of STREAM_CRYPTO_METHOD_TLSv*_CLIENT constants.')
+                                ->end()
                                 ->arrayNode('extra')
                                     ->info('Extra options for specific HTTP client')
                                     ->normalizeKeys(false)
diff --git a/src/Symfony/Component/HttpClient/CHANGELOG.md b/src/Symfony/Component/HttpClient/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+6.4
+---
+
+ * Add option `crypto_method` to set the minimum SSL version and make it default to TLSv1.2
+
 6.3
 ---
 
diff --git a/src/Symfony/Component/HttpClient/CurlHttpClient.php b/src/Symfony/Component/HttpClient/CurlHttpClient.php
@@ -116,6 +116,12 @@ public function request(string $method, string $url, array $options = []): Respo
             \CURLOPT_SSLKEY => $options['local_pk'],
             \CURLOPT_KEYPASSWD => $options['passphrase'],
             \CURLOPT_CERTINFO => $options['capture_peer_cert_chain'],
+            \CURLOPT_SSLVERSION => match ($options['crypto_method']) {
+                \STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT => \CURL_SSLVERSION_TLSv1_3,
+                \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT => \CURL_SSLVERSION_TLSv1_2,
+                \STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT => \CURL_SSLVERSION_TLSv1_1,
+                \STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT => \CURL_SSLVERSION_TLSv1_0,
+            }
         ];
 
         if (1.0 === (float) $options['http_version']) {
diff --git a/src/Symfony/Component/HttpClient/HttpClientTrait.php b/src/Symfony/Component/HttpClient/HttpClientTrait.php
@@ -116,6 +116,15 @@ private static function prepareRequest(?string $method, ?string $url, array $opt
             $options['peer_fingerprint'] = self::normalizePeerFingerprint($options['peer_fingerprint']);
         }
 
+        if (isset($options['crypto_method']) && !\in_array($options['crypto_method'], [
+            \STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT,
+            \STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
+            \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
+            \STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT,
+        ], true)) {
+            throw new InvalidArgumentException('Option "crypto_method" must be one of "STREAM_CRYPTO_METHOD_TLSv1_*_CLIENT".');
+        }
+
         // Validate on_progress
         if (isset($options['on_progress']) && !\is_callable($onProgress = $options['on_progress'])) {
             throw new InvalidArgumentException(sprintf('Option "on_progress" must be callable, "%s" given.', get_debug_type($onProgress)));
diff --git a/src/Symfony/Component/HttpClient/Internal/AmpClientState.php b/src/Symfony/Component/HttpClient/Internal/AmpClientState.php
@@ -141,6 +141,7 @@ private function getClient(array $options): array
         $options['local_cert'] && $context = $context->withCertificate(new Certificate($options['local_cert'], $options['local_pk']));
         $options['ciphers'] && $context = $context->withCiphers($options['ciphers']);
         $options['capture_peer_cert_chain'] && $context = $context->withPeerCapturing();
+        $options['crypto_method'] && $context = $context->withMinimumVersion($options['crypto_method']);
 
         $connector = $handleConnector = new class() implements Connector {
             public $connector;
diff --git a/src/Symfony/Component/HttpClient/NativeHttpClient.php b/src/Symfony/Component/HttpClient/NativeHttpClient.php
@@ -215,6 +215,7 @@ public function request(string $method, string $url, array $options = []): Respo
                 'verify_peer_name' => $options['verify_host'],
                 'cafile' => $options['cafile'],
                 'capath' => $options['capath'],
+                'crypto_method' => $options['crypto_method'],
                 'local_cert' => $options['local_cert'],
                 'local_pk' => $options['local_pk'],
                 'passphrase' => $options['passphrase'],
diff --git a/src/Symfony/Component/HttpClient/composer.json b/src/Symfony/Component/HttpClient/composer.json
@@ -25,7 +25,7 @@
         "php": ">=8.1",
         "psr/log": "^1|^2|^3",
         "symfony/deprecation-contracts": "^2.5|^3",
-        "symfony/http-client-contracts": "^3",
+        "symfony/http-client-contracts": "^3.3",
         "symfony/service-contracts": "^2.5|^3"
     },
     "require-dev": {
diff --git a/src/Symfony/Contracts/CHANGELOG.md b/src/Symfony/Contracts/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+3.3
+---
+
+ * Add option `crypto_method` to `HttpClientInterface` to define the minimum SSL version to accept
+
 3.2
 ---
 
diff --git a/src/Symfony/Contracts/HttpClient/HttpClientInterface.php b/src/Symfony/Contracts/HttpClient/HttpClientInterface.php
@@ -66,6 +66,7 @@ interface HttpClientInterface
         'ciphers' => null,
         'peer_fingerprint' => null,
         'capture_peer_cert_chain' => false,
+        'crypto_method' => \STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT, // STREAM_CRYPTO_METHOD_TLSv*_CLIENT - minimum SSL version
         'extra' => [],          // array - additional options that can be ignored if unsupported, unlike regular options
     ];
 
