©
This document uses PHP Chinese website manual Release
SSL 上下文选项 — SSL 上下文选项清单
ssl:// 和 tls:// 传输协议上下文选项清单。
版本 | 说明 |
---|---|
5.6.0 |
新加 peer_fingerprint 参数。
|
5.4.13 |
新加 disable_compression 。 需要 OpenSSL >= 1.0.0.
|
5.3.2 |
新加 SNI_enabled 和
SNI_server_name 。
|
5.0.0 |
新加 capture_peer_cert ,
capture_peer_chain ,
ciphers 和
local_pk 。
|
Note: 因为 ssl:// 是 https:// 和 ftps:// 的底层传输协议, 所以,ssl:// 的上下文选项也同样适用于 https:// 和 ftps:// 上下文。
Note: PHP 必须联合 OpenSSL 0.9.8j 或以上版本编译才可以支持 SNI, 同时也支持使用
OPENSSL_TLSEXT_SERVER_NAME
来探测 SNI 服务器名称。
[#1] Fabien Mnager [2015-02-25 11:04:38]
This page is missing a lot of the possible options, I had to go in the PHP core source code to see options not listed here :
Here are the ones missing :
* local_pk
* SNI_server_certs
* no_ticket
* Maybe others not in this file.
[#2] Anonymous [2014-05-13 17:26:04]
If I read the UPGRADING file correctly, in PHP 5.6 the default value of verify_peer has changed.
[#3] borbas dot geri at gmail dot com [2014-01-31 12:06:08]
I used this for Apple Push Notification Service.
Passed in a local certificate filename `cert.pem` trough local_cert option.
Worked fine, when invoked the script directly.
But when I included/required the script from a different location, it stopped working, without any explicit error message.
Resolved by passed in the full path for the file `<FullPathTo>cert.pem`.
[#4] Botjan kufca [2010-02-20 11:11:10]
CN_match works contrary to intuitive thinking. I came across this when I was developing SSL server implemented in PHP. I stated (in code):
- do not allow self signed certs (works)
- verify peer certs against CA cert (works)
- verify the client's CN against CN_match (does not work), like this:
stream_context_set_option($context, 'ssl', 'CN_match', '*.example.org');
I presumed this would match any client with CN below .example.org domain.
Unfortunately this is NOT the case. The option above does not do that.
What it really does is this:
- it takes client's CN and compares it to CN_match
- IF CLIENT's CN CONTAINS AN ASTERISK like *.example.org, then it is matched against CN_match in wildcard matching fashion
Examples to illustrate behaviour:
(CNM = server's CN_match)
(CCN = client's CN)
- CNM=host.example.org, CCN=host.example.org ---> OK
- CNM=host.example.org, CCN=*.example.org ---> OK
- CNM=.example.org, CCN=*.example.org ---> OK
- CNM=example.org, CCN=*.example.org ---> ERROR
- CNM=*.example.org, CCN=host.example.org ---> ERROR
- CNM=*.example.org, CCN=*.example.org ---> OK
According to PHP sources I believe that the same applies if you are trying to act as Client and the server contains a wildcard certificate. If you set CN_match to myserver.example.org and server presents itself with *.example.org, the connection is allowed.
Everything above applies to PHP version 5.2.12.
I will supply a patch to support CN_match starting with asterisk.