From c05ef534171135f4252fa0feed5466a75435b97a Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 12 Dec 2014 01:30:38 +0100
Subject: seems we need to do SSL/TLS checks the other way round

---
 inc/HTTPClient.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'inc/HTTPClient.php')

diff --git a/inc/HTTPClient.php b/inc/HTTPClient.php
index c791b7f4a..76d973c38 100644
--- a/inc/HTTPClient.php
+++ b/inc/HTTPClient.php
@@ -592,13 +592,15 @@ class HTTPClient {
             // set correct peer name for verification (enabled since PHP 5.6)
             stream_context_set_option($socket, 'ssl', 'peer_name', $requestinfo['host']);
 
-            // Try a TLS connection first
-            if (@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+            // Because of older PHP versions having trouble with TLS (enable_crypto returns true, but
+            // the conection still borks) we try SSLv3 first
+            if (@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_SSLv3_CLIENT)) {
                 $requesturl = $requestinfo['path'];
                 return true;
             }
-            // Fall back to SSLv3
-            if (@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_SSLv3_CLIENT)) {
+
+            // If the proxy does not support SSLv3 we try TLS
+            if (@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
                 $requesturl = $requestinfo['path'];
                 return true;
             }
-- 
cgit v1.2.3