- New "SNI_server_certs" context option maps host names to
appropriate certs should client handshakes advertise the
SNI extension:
$ctx = stream_context_create(["ssl" => [
"local_cert" => "/path/to/cert.pem",
"SNI_server_certs" => [
"domain1.com" => "/path/to/domain1.pem",
"*.domain2.com" => "/path/to/domain2.pem",
"domain3.com" => "/path/to/domain3.pem"
]
]]);
- Prefixing a "*." will utilize the matching cert if a client
requests the primary host name or any subdomain thereof. So
in the above example our "domain2.pem" will be used for both
requests to "domain2.com" -and- "subdomain.domain2.com"
- The "SNI_server_certs" ctx option has no effect for client
streams.
- SNI support is enabled by default as of 5.6 for both servers
and clients. Servers must specify the "SNI_server_certs" array
to actually use the SNI extension, though.
- If the `"SNI_enabled" => false` ctx option is also passed then
"SNI_server_certs" has no effect.
- While supporting SNI by itself is enough to successfully
negotiate the TLS handshake with many clients, servers MUST
still specify a "local_cert" ctx option or run the risk of
connection failures from clients that do not support the SNI
extension.
- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_openssl_structs.h into xp_ssl.c
- Server-specific options now set on SSL_CTX instead of SSL
- Deprecate SNI_server_name ctx option
- Miscellaneous refactoring
Previously the "capture_peer_cert" SSL context option only
captured the peer's certificate if the verification routine
succeeded.
By also capturing the on verify failure applications have the
ability to parse the cert and ask users whether they wish to
proceed given the information presented by the peer.
- Clean up properly at all fail points in native Windows peer
verification routine
- Bring certificate usages and chain flags into line with chromium
implementation in windows environments
* PHP-5.6:
Remove test case invalidated by openssl.cafile accessibility change
Tolerate non-standard newlines when parsing stream CA files
Remove openssl tests that shouldn't have survived last merge
Add openssl.cafile ini check when loading cainfo
Change openssl directives to PHP_INI_PERDIR
Update openssl tests with new server/client test harness
Add peer certificate verification on windows
* 'windowsPeerVerification' of https://github.com/DaveRandom/php-src:
Update openssl tests with new server/client test harness
Add peer certificate verification on windows
* PHP-5.6:
Improve OpenSSL compile flag compatibility, minor updates
Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests
Improve server forward secrecy, refactor client SNI
Add 'honor_cipher_order' server context option
Add 'capture_session_meta' context option
Disable TLS compression by default in both clients and servers
Release ssl buffers
Add openssl_get_cert_locations() function
Explicitly set cert verify depth if not specified
Strengthen default cipher list
