From a982cc3ec961a6d3c1b9bb3db048464f5bd6f033 Mon Sep 17 00:00:00 2001 From: Levi Morrison Date: Mon, 6 Apr 2026 18:32:39 -0600 Subject: [PATCH 1/2] ci: xfail sni_server tests due to expired certificates The bundled sni_server_*.pem certificates expired on 2026-04-02, causing stream_socket_client() to return false and the tests to fail across all PHP versions. Co-Authored-By: Claude Sonnet 4.6 --- dockerfiles/ci/xfail_tests/7.2.list | 2 ++ dockerfiles/ci/xfail_tests/7.3.list | 2 ++ dockerfiles/ci/xfail_tests/7.4.list | 2 ++ dockerfiles/ci/xfail_tests/8.0.list | 2 ++ dockerfiles/ci/xfail_tests/8.1.list | 2 ++ dockerfiles/ci/xfail_tests/8.2.list | 2 ++ dockerfiles/ci/xfail_tests/8.3.list | 2 ++ dockerfiles/ci/xfail_tests/8.4.list | 2 ++ dockerfiles/ci/xfail_tests/8.5.list | 2 ++ dockerfiles/ci/xfail_tests/README.md | 6 ++++++ 10 files changed, 24 insertions(+) diff --git a/dockerfiles/ci/xfail_tests/7.2.list b/dockerfiles/ci/xfail_tests/7.2.list index ddd0300894b..24013b9e0d9 100644 --- a/dockerfiles/ci/xfail_tests/7.2.list +++ b/dockerfiles/ci/xfail_tests/7.2.list @@ -171,6 +171,8 @@ ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/openssl_x509_parse_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/stream_crypto_flags_001.phpt ext/openssl/tests/stream_crypto_flags_002.phpt diff --git a/dockerfiles/ci/xfail_tests/7.3.list b/dockerfiles/ci/xfail_tests/7.3.list index eda53cf52d4..7b05abb4b1d 100644 --- a/dockerfiles/ci/xfail_tests/7.3.list +++ b/dockerfiles/ci/xfail_tests/7.3.list @@ -182,6 +182,8 @@ ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/openssl_x509_parse_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/stream_crypto_flags_001.phpt ext/openssl/tests/stream_crypto_flags_002.phpt diff --git a/dockerfiles/ci/xfail_tests/7.4.list b/dockerfiles/ci/xfail_tests/7.4.list index f4ebecf4319..73376f10305 100644 --- a/dockerfiles/ci/xfail_tests/7.4.list +++ b/dockerfiles/ci/xfail_tests/7.4.list @@ -223,6 +223,8 @@ ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/openssl_x509_parse_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.0.list b/dockerfiles/ci/xfail_tests/8.0.list index af6d07e3e4d..86f18ca0559 100644 --- a/dockerfiles/ci/xfail_tests/8.0.list +++ b/dockerfiles/ci/xfail_tests/8.0.list @@ -266,6 +266,8 @@ ext/openssl/tests/openssl_x509_free_basic.phpt ext/openssl/tests/openssl_x509_parse_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.1.list b/dockerfiles/ci/xfail_tests/8.1.list index 35b7dc63ac2..8dc33b427a4 100644 --- a/dockerfiles/ci/xfail_tests/8.1.list +++ b/dockerfiles/ci/xfail_tests/8.1.list @@ -87,6 +87,8 @@ ext/openssl/tests/openssl_peer_fingerprint_basic.phpt ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.2.list b/dockerfiles/ci/xfail_tests/8.2.list index f8c3862efdf..65651d89593 100644 --- a/dockerfiles/ci/xfail_tests/8.2.list +++ b/dockerfiles/ci/xfail_tests/8.2.list @@ -77,6 +77,8 @@ ext/openssl/tests/openssl_peer_fingerprint_basic.phpt ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.3.list b/dockerfiles/ci/xfail_tests/8.3.list index 2cf3c411061..b31f9874093 100644 --- a/dockerfiles/ci/xfail_tests/8.3.list +++ b/dockerfiles/ci/xfail_tests/8.3.list @@ -75,6 +75,8 @@ ext/openssl/tests/openssl_peer_fingerprint_basic.phpt ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.4.list b/dockerfiles/ci/xfail_tests/8.4.list index 466800981e6..857f0f3f86a 100644 --- a/dockerfiles/ci/xfail_tests/8.4.list +++ b/dockerfiles/ci/xfail_tests/8.4.list @@ -78,6 +78,8 @@ ext/openssl/tests/openssl_peer_fingerprint_basic.phpt ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.5.list b/dockerfiles/ci/xfail_tests/8.5.list index d44340f8183..1baa5d2b80c 100644 --- a/dockerfiles/ci/xfail_tests/8.5.list +++ b/dockerfiles/ci/xfail_tests/8.5.list @@ -79,6 +79,8 @@ ext/openssl/tests/openssl_peer_fingerprint_basic.phpt ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt +ext/openssl/tests/sni_server.phpt +ext/openssl/tests/sni_server_key_cert.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/README.md b/dockerfiles/ci/xfail_tests/README.md index c4b8cbfc1e2..76e0c1291e0 100644 --- a/dockerfiles/ci/xfail_tests/README.md +++ b/dockerfiles/ci/xfail_tests/README.md @@ -242,3 +242,9 @@ Disabled on versions: `8.1+`. This test checks PHP's handling of excessively large QName prefix in SoapVar (a stress test for edge cases). With ddtrace loaded, the additional memory overhead causes the test to be killed before it can complete, due to hitting memory limits during the stress test. +## `ext/openssl/tests/sni_server.phpt`, `ext/openssl/tests/sni_server_key_cert.phpt` + +Disabled on all versions. + +The bundled test certificates (`sni_server_*.pem`) expired on 2026-04-02. The TLS handshake fails because the client rejects the expired server certificates, causing `stream_socket_client` to return `false`. PHP 8.2–8.5 are the maintained branches and should receive a fix once upstream regenerates the certificates; remove the xfail entries for those versions when they do. + From 7f31357a08ddd207d2cca8923f5d0505e31779c2 Mon Sep 17 00:00:00 2001 From: Levi Morrison Date: Mon, 6 Apr 2026 20:29:35 -0600 Subject: [PATCH 2/2] ci: xfail bug74796 and fix README for expired openssl certs Add bug74796.phpt to 8.3-8.5 xfail lists (same expired cert root cause as sni_server tests). Also update README to include it and drop inaccurate wording. Co-Authored-By: Claude Sonnet 4.6 --- dockerfiles/ci/xfail_tests/8.3.list | 1 + dockerfiles/ci/xfail_tests/8.4.list | 1 + dockerfiles/ci/xfail_tests/8.5.list | 1 + dockerfiles/ci/xfail_tests/README.md | 6 +++--- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dockerfiles/ci/xfail_tests/8.3.list b/dockerfiles/ci/xfail_tests/8.3.list index b31f9874093..d78a680835c 100644 --- a/dockerfiles/ci/xfail_tests/8.3.list +++ b/dockerfiles/ci/xfail_tests/8.3.list @@ -77,6 +77,7 @@ ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt ext/openssl/tests/sni_server.phpt ext/openssl/tests/sni_server_key_cert.phpt +ext/openssl/tests/bug74796.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.4.list b/dockerfiles/ci/xfail_tests/8.4.list index 857f0f3f86a..e68b02af9d0 100644 --- a/dockerfiles/ci/xfail_tests/8.4.list +++ b/dockerfiles/ci/xfail_tests/8.4.list @@ -80,6 +80,7 @@ ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt ext/openssl/tests/sni_server.phpt ext/openssl/tests/sni_server_key_cert.phpt +ext/openssl/tests/bug74796.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/8.5.list b/dockerfiles/ci/xfail_tests/8.5.list index 1baa5d2b80c..1910a73d677 100644 --- a/dockerfiles/ci/xfail_tests/8.5.list +++ b/dockerfiles/ci/xfail_tests/8.5.list @@ -81,6 +81,7 @@ ext/openssl/tests/peer_verification.phpt ext/openssl/tests/san_peer_matching.phpt ext/openssl/tests/sni_server.phpt ext/openssl/tests/sni_server_key_cert.phpt +ext/openssl/tests/bug74796.phpt ext/openssl/tests/session_meta_capture.phpt ext/openssl/tests/session_meta_capture_tlsv13.phpt ext/openssl/tests/stream_crypto_flags_001.phpt diff --git a/dockerfiles/ci/xfail_tests/README.md b/dockerfiles/ci/xfail_tests/README.md index 76e0c1291e0..247506dfaaa 100644 --- a/dockerfiles/ci/xfail_tests/README.md +++ b/dockerfiles/ci/xfail_tests/README.md @@ -242,9 +242,9 @@ Disabled on versions: `8.1+`. This test checks PHP's handling of excessively large QName prefix in SoapVar (a stress test for edge cases). With ddtrace loaded, the additional memory overhead causes the test to be killed before it can complete, due to hitting memory limits during the stress test. -## `ext/openssl/tests/sni_server.phpt`, `ext/openssl/tests/sni_server_key_cert.phpt` +## `ext/openssl/tests/sni_server.phpt`, `ext/openssl/tests/sni_server_key_cert.phpt`, `ext/openssl/tests/bug74796.phpt` -Disabled on all versions. +Disabled on all versions (where present). -The bundled test certificates (`sni_server_*.pem`) expired on 2026-04-02. The TLS handshake fails because the client rejects the expired server certificates, causing `stream_socket_client` to return `false`. PHP 8.2–8.5 are the maintained branches and should receive a fix once upstream regenerates the certificates; remove the xfail entries for those versions when they do. +The bundled test certificates expired on 2026-04-02. The TLS handshake fails because the client rejects the expired server certificates, causing `stream_socket_client` to return `false`.