From 28fe3baf9ca59b74c07e16d0a68ead0f7dac8a70 Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Mon, 12 Oct 2020 07:57:14 +0200
Subject: [PATCH 1/2] Disable secure-http automatically when disable-tls is
 enabled, fixes #9235

---
 doc/06-config.md        | 3 ++-
 src/Composer/Config.php | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/06-config.md b/doc/06-config.md
index 603de014a..4e027b9b1 100644
--- a/doc/06-config.md
+++ b/doc/06-config.md
@@ -96,7 +96,8 @@ gitlab.com the domain names must be also specified with the
 Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP
 instead and no network level encryption is performed. Enabling this is a
 security risk and is NOT recommended. The better way is to enable the
-php_openssl extension in php.ini.
+php_openssl extension in php.ini. Enabling this will implicitly disable the
+`secure-http` option.
 
 ## secure-http
 
diff --git a/src/Composer/Config.php b/src/Composer/Config.php
index e57d21cab..b305fe371 100644
--- a/src/Composer/Config.php
+++ b/src/Composer/Config.php
@@ -328,6 +328,10 @@ class Config
             case 'disable-tls':
                 return $this->config[$key] !== 'false' && (bool) $this->config[$key];
             case 'secure-http':
+                if ($this->get('disable-tls') === true) {
+                    return false;
+                }
+
                 return $this->config[$key] !== 'false' && (bool) $this->config[$key];
             case 'use-github-api':
                 return $this->config[$key] !== 'false' && (bool) $this->config[$key];

From 159bb84fa63c30cf9289d4698458e442c5d0ee1b Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Mon, 12 Oct 2020 08:16:31 +0200
Subject: [PATCH 2/2] Allow running the config command to disable tls even if
 openssl is not present, fixes #9198

---
 src/Composer/Factory.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php
index 8a0ff1e2d..acb483294 100644
--- a/src/Composer/Factory.php
+++ b/src/Composer/Factory.php
@@ -586,7 +586,11 @@ class Factory
     {
         static $warned = false;
         $disableTls = false;
-        if ($config && $config->get('disable-tls') === true) {
+        // allow running the config command if disable-tls is in the arg list, even if openssl is missing, to allow disabling it via the config command
+        if (isset($_SERVER['argv']) && in_array('disable-tls', $_SERVER['argv']) && (in_array('conf', $_SERVER['argv']) || in_array('config', $_SERVER['argv']))) {
+            $warned = true;
+            $disableTls = !extension_loaded('openssl');
+        } elseif ($config && $config->get('disable-tls') === true) {
             if (!$warned) {
                 $io->writeError('<warning>You are running Composer with SSL/TLS protection disabled.</warning>');
             }