* master: (46 commits)
PHP_INT_MIN and _MAX tests
NEWS and UPGRADING
Added PHP_INT_MIN
Fix wrong lenght size
Bug #51096 - Remove unnecessary ? for first/last day of
Moved streams related functions to xp_ssl.c
Remove duplicate NEWS
Update NEWS
Update NEWS
Update NEWS
BFN
BFN
Fixed bug #67715 (php-milter does not build and crashes randomly).
We need to turn off any strict mode here for this warning to show up
Disable restrictions regarding arrays in constants at run-time. For the discussion around it, see the thread on the mailing list: http://www.mail-archive.com/internals@lists.php.net/msg68245.html
Revert "Fix bug #67064 in a BC safe way"
Updated NEWS for #67693
Updated NEWS for #67693
Fixed bug #67693 - incorrect push to the empty array
add missing entry to NEWS
...
Conflicts:
Zend/tests/errmsg_040.phpt
Zend/tests/ns_059.phpt
Zend/zend_language_parser.y
Zend/zend_vm_def.h
ext/openssl/openssl.c
ext/reflection/php_reflection.c
ext/session/session.c
ext/spl/spl_directory.c
ext/spl/spl_iterators.c
ext/sqlite3/sqlite3.c
ext/standard/array.c
- New "SNI_server_certs" context option maps host names to
appropriate certs should client handshakes advertise the
SNI extension:
$ctx = stream_context_create(["ssl" => [
"local_cert" => "/path/to/cert.pem",
"SNI_server_certs" => [
"domain1.com" => "/path/to/domain1.pem",
"*.domain2.com" => "/path/to/domain2.pem",
"domain3.com" => "/path/to/domain3.pem"
]
]]);
- Prefixing a "*." will utilize the matching cert if a client
requests the primary host name or any subdomain thereof. So
in the above example our "domain2.pem" will be used for both
requests to "domain2.com" -and- "subdomain.domain2.com"
- The "SNI_server_certs" ctx option has no effect for client
streams.
- SNI support is enabled by default as of 5.6 for both servers
and clients. Servers must specify the "SNI_server_certs" array
to actually use the SNI extension, though.
- If the `"SNI_enabled" => false` ctx option is also passed then
"SNI_server_certs" has no effect.
- While supporting SNI by itself is enough to successfully
negotiate the TLS handshake with many clients, servers MUST
still specify a "local_cert" ctx option or run the risk of
connection failures from clients that do not support the SNI
extension.
- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_openssl_structs.h into xp_ssl.c
- Server-specific options now set on SSL_CTX instead of SSL
- Deprecate SNI_server_name ctx option
- Miscellaneous refactoring
Previously the "capture_peer_cert" SSL context option only
captured the peer's certificate if the verification routine
succeeded.
By also capturing the on verify failure applications have the
ability to parse the cert and ask users whether they wish to
proceed given the information presented by the peer.
* PHP-5.6:
Improve OpenSSL compile flag compatibility, minor updates
Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests
Improve server forward secrecy, refactor client SNI
Add 'honor_cipher_order' server context option
Add 'capture_session_meta' context option
Disable TLS compression by default in both clients and servers
Release ssl buffers
Add openssl_get_cert_locations() function
Explicitly set cert verify depth if not specified
Strengthen default cipher list
