Merge pull request heroku#352 from heroku/develop

Binaries update: PHP, extensions, Composer, and OpenSSL 1.1.1 forward compatibility

CHANGELOG.md

@@ -5,12 +5,20 @@
 ### ADD
 
 - Automatically run 'composer test' if present, or one of 'codecept'/'behat'/'phpspec'/'atoum'/'kahlan'/'peridot'/'phpunit', on Heroku CI [David Zuelke]
+- PHP/7.1.31 [David Zuelke]
+- PHP/7.2.21 [David Zuelke]
+- PHP/7.3.8 [David Zuelke]
+- ext-rdkafka/3.1.2 [David Zuelke]
+- ext-redis/5.0.2 [David Zuelke]
+- ext-blackfire/1.26.4 [David Zuelke]
 
 ### CHG
 
 - Enable zend.assertions on Heroku CI [David Zuelke]
 - Boot scripts now prefer a `composer` binary on `$PATH` over a `composer.phar` in the CWD [David Zuelke]
 - Refactor logic used to prevent APM extensions such as `ext-newrelic` or `ext-blackfire` from starting up during during boot preparations or builds [David Zuelke]
+- Patch `libc-client`, used by PHP's `ext-imap`, to use SNI if possible (required with TLSv1.3) [David Zuelke]
+- Composer/1.9.0 [David Zuelke]
 
 ### FIX
 

bin/compile

@@ -218,7 +218,7 @@ fi
 mkdir -p $build_dir/.heroku/php-min
 ln -s $build_dir/.heroku/php-min /app/.heroku/php-min
 
-curl_retry_on_18 --fail --silent --location -o $build_dir/.heroku/php-min.tar.gz "${s3_url}php-min-7.3.7.tar.gz" || {
+curl_retry_on_18 --fail --silent --location -o $build_dir/.heroku/php-min.tar.gz "${s3_url}php-min-7.3.8.tar.gz" || {
 	mcount "failures.bootstrap.download.php-min"
 	error <<-EOF
 		Failed to download minimal PHP for bootstrapping!
@@ -231,7 +231,7 @@ curl_retry_on_18 --fail --silent --location -o $build_dir/.heroku/php-min.tar.gz
 tar xzf $build_dir/.heroku/php-min.tar.gz -C $build_dir/.heroku/php-min
 rm $build_dir/.heroku/php-min.tar.gz
 
-curl_retry_on_18 --fail --silent --location -o $build_dir/.heroku/composer.tar.gz "${s3_url}composer-1.8.6.tar.gz" || {
+curl_retry_on_18 --fail --silent --location -o $build_dir/.heroku/composer.tar.gz "${s3_url}composer-1.9.0.tar.gz" || {
 	mcount "failures.bootstrap.download.composer"
 	error <<-EOF
 		Failed to download Composer for bootstrapping!

support/build/_docker/cedar-14.Dockerfile

@@ -7,6 +7,7 @@ ENV S3_BUCKET=lang-php
 ENV S3_PREFIX=dist-cedar-14-develop/
 ENV S3_REGION=s3
 ENV STACK=cedar-14
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y python-pip
 

support/build/_docker/heroku-16.Dockerfile

@@ -7,6 +7,7 @@ ENV S3_BUCKET=lang-php
 ENV S3_PREFIX=dist-heroku-16-develop/
 ENV S3_REGION=s3
 ENV STACK=heroku-16
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y python-pip
 

support/build/_docker/heroku-18.Dockerfile

@@ -7,8 +7,11 @@ ENV S3_BUCKET=lang-php
 ENV S3_PREFIX=dist-heroku-18-develop/
 ENV S3_REGION=s3
 ENV STACK=heroku-18
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get install -y python-pip
+# pin to package versions from bionic-security for now so that the install doesn't bump libssl to 1.1.1
+# RUN apt-get update && apt-get install -y python-pip
+RUN apt-get update && apt-get install --no-install-recommends -y python-pip-whl=9.0.1-2 python-pip=9.0.1-2 python-setuptools python-wheel
 
 COPY requirements.txt /app/requirements.txt
 

support/build/libraries/libc-client

@@ -58,6 +58,30 @@ dpkg-source --require-valid-signature -x $(basename ${dep_urls[-1]})
 
 pushd ${dep_dirname}
 
+# SNI capabilities for libc-client; some servers (GMail) require it with TLSv1.3, which OpenSSL 1.1.1 supports
+patch -p1 <<EOF
+--- a/src/osdep/unix/ssl_unix.c
++++ b/src/osdep/unix/ssl_unix.c
+@@ -273,6 +273,17 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
+ 				/* create connection */
+   if (!(stream->con = (SSL *) SSL_new (stream->context)))
+     return "SSL connection failed";
++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++  ASN1_OCTET_STRING *ip;
++  /* support SNI if host is not an IP address */
++  /* per RFC 6066: */
++  /* Literal IPv4 and IPv6 addresses are not permitted in "HostName". */
++  ip = a2i_IPADDRESS(host);
++  if (ip == NULL) {
++    ERR_clear_error();
++    SSL_set_tlsext_host_name(stream->con,host);
++  }
++#endif
+   bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
+   SSL_set_bio (stream->con,bio,bio);
+   SSL_set_connect_state (stream->con);
+EOF
+
 touch ip6 # so we do not get prompted
 make ldb EXTRACFLAGS=-fPIC # need PIC so relocations work in the shared imap.so ext later
 mkdir -p ${OUT_PREFIX}/opt/${dep_destname}/include ${OUT_PREFIX}/opt/${dep_destname}/lib

test/fixtures/bugs/imap-tls-sni/composer.json

@@ -0,0 +1,6 @@
+{
+    "require": {
+        "php": "7.3.*",
+        "ext-imap": "*"
+    }
+}

test/spec/bugs_spec.rb

@@ -0,0 +1,21 @@
+require_relative "spec_helper"
+
+describe "A PHP application" do
+	context "using ext-imap on heroku-18" do
+		# OpenSSL 1.1.1 introduces support for TLSv1.3
+		# When negotiating a TLSv1.3 connection with a GMail IMAP server, the server will reject the attempt if no SNI ("ServerName" extension) info is sent
+		# Must be fixed at the libc-client level
+		it "successfully establishes a connection to a GMail IMAP server" do
+			skip unless ENV["STACK"] == "heroku-18" # the other stacks don't have OpenSSL 1.1.1 or later
+
+			app = new_app_with_stack_and_platrepo('test/fixtures/bugs/imap-tls-sni')
+
+			app.deploy do |app|
+				expect(app.output).to match("- ext-imap")
+				output = app.run('php -r \'imap_open("{imap.gmail.com:993/imap/ssl}INBOX", "user", "pass") or die(imap_last_error());\'')
+				expect(output).to match("Can not authenticate to IMAP server")
+				expect(output).not_to match("Certificate failure")
+			end
+		end
+	end
+end