OpenSSL changes in PHP 5.6.x

Stream wrappers now verify peer certificates and host names by default when using SSL/TLS

All encrypted client streams now enable peer verification by default. By default, this will use OpenSSL's default CA bundle to verify the peer certificate. In most cases, no changes will need to be made to communicate with servers with valid SSL certificates, as distributors generally configure OpenSSL to use known good CA bundles.

The default CA bundle may be overridden on a global basis by setting either the openssl.cafile or openssl.capath configuration setting, or on a per request basis by using the cafile or capath context options.

While not recommended in general, it is possible to disable peer certificate verification for a request by setting the verify_peer context option to FALSE, and to disable peer name validation by setting the verify_peer_name context option to FALSE.

Certificate fingerprints

Support has been added for extracting and verifying certificate fingerprints. openssl_x509_fingerprint() has been added to extract a fingerprint from an X.509 certificate, and two SSL stream context options have been added: capture_peer_cert to capture the peer's X.509 certificate, and peer_fingerprint to assert that the peer's certificate should match the given fingerprint.

Default ciphers updated

The default ciphers used by PHP have been updated to a more secure list based on the » Mozilla cipher recommendations, with two additional exclusions: anonymous Diffie-Hellman ciphers, and RC4.

This list can be accessed via the new OPENSSL_DEFAULT_STREAM_CIPHERS constant, and can be overridden (as in previous PHP versions) by setting the ciphers context option.

Compression disabled by default

SSL/TLS compression has been disabled by default to mitigate the CRIME attack. PHP 5.4.13 added a disable_compression context option to allow compression to be disabled: this is now set to TRUE (that is, compression is disabled) by default.

Allow servers to prefer their cipher order

The honor_cipher_order SSL context option has been added to allow encrypted stream servers to mitigate BEAST vulnerabilities by preferring the server's ciphers to the client's.

Access the negotiated protocol and cipher

The protocol and cipher that were negotiated for an encrypted stream can now be accessed via stream_get_meta_data() or stream_context_get_options() when the capture_session_meta SSL context option is set to TRUE.

<?php
$ctx 
stream_context_create(['ssl' => [
    
'capture_session_meta' => TRUE
]]);
 
$html file_get_contents('https://google.com/'FALSE$ctx);
$meta stream_context_get_options($ctx)['ssl']['session_meta'];
var_dump($meta);
?>

The above example will output:

array(4) {
  ["protocol"]=>
  string(5) "TLSv1"
  ["cipher_name"]=>
  string(20) "ECDHE-RSA-AES128-SHA"
  ["cipher_bits"]=>
  int(128)
  ["cipher_version"]=>
  string(11) "TLSv1/SSLv3"
}

New options for perfect forward secrecy in encrypted stream servers

Encrypted client streams already support perfect forward secrecy, as it is generally controlled by the server. PHP encrypted server streams using certificates capable of perfect forward secrecy do not need to take any additional action to enable PFS; however a number of new SSL context options have been added to allow more control over PFS and deal with any compatibility issues that may arise.

ecdh_curve

This option allows the selection of a specific curve for use with ECDH ciphers. If not specified, prime256v1 will be used.

dh_param

A path to a file containing parametrs for Diffie-Hellman key exchange, such as that created by the following command:

openssl dhparam -out /path/to/my/certs/dh-2048.pem 2048
single_dh_use

If set to TRUE, a new key pair will be created when using Diffie-Hellman parameters, thereby improving forward secrecy.

single_ecdh_use

If set to TRUE, a new key pair will always be generated when ECDH cipher suites are negotiated. This improves forward secrecy.

SSL/TLS version selection

It is now possible to select specific versions of SSL and TLS via the crypto_method SSL context option or by specifying a specific transport when creating a stream wrapper (for example, by calling stream_socket_client() or stream_socket_server()).

The crypto_method SSL context option accepts a bitmask enumerating the protocols that are permitted, as does the crypto_type of stream_socket_enable_crypto().

2 aer.pp classgenanchor"php" cl#118214"> &n_me;> aerGoto < cer" dd> om2015-10-27 09:36>
g nconteHcom118214"> a href="function.stream-context-gvar_dum tml"> To geerveckonor-cip"old bmmand r"pnd hostlf-signen ("snakeoil")2" id="migratimeterong>,quotthat cproble, yous="title"

_get_color: #ext-gvar_dum"contex_options()oDD0000">'sslvar_dumRUEworaew=>oDD0000">'sslvar_dum"contex_ois set to TRUE'sslvar_dumRUEworaew=or: < style="col ;TRUE'sslvar_dum"contex_oDals>TRUEoDD0000">'sslvar_dumRUEworaew=or: oDD0000">'sslvar_dum"contex_oDals>< style="col ;TRUETRUE'sslvar_dumRUEworaew=>oDD0000">'sslvar_dum"contex_oD0000">'capture_session_meta'&var_dumRUEworaew TRUEofor us" dar">'="_bla ae'TRUE'sslvar_dum"contex_oDals>TRUETRUETRUE'sslvar_dum"contex_olor: #007700">][ott-conte120179"> oto searchGoto homVu120179"> o d>.php" cli>T ho120179ation5ue="help-translate.php"ationvtab=up" dd> omVokieup!

up> Goto homVd120179"> o d>.php" cli>T ho120179ation5ue="help-translate.php"ationvtab=down" dd> omVokiedown!

Goto om75% like/h3> ..."> o d2 tionw funcag tllag aer.pp classgenanchor"php" cl#120179"> &n_me;> aerGoto < cer" dd> om2016-11-17 03:33>

g nconteHcom120179"> a href="function.stream-context-gvar_dum tml"> Ntab: yous">st validstlf-signen when using SSL/TLyour appll.cafile>
array(4) {
footver.php" cli>Tctio"help-translate.php"ption	Spanish
add  vetabuncatal>add  vetab>][atal>ect2" ">][tions >      [tions >
Selected protocol versions and corresponding options
Protocol(s) Client flag Server flag Transport
Any TLS or SSL version STREAM_CRYPTO_METHOD_ANY_CLIENT STREAM_CRYPTO_METHOD_ANY_SERVER ssl://
Any TLS version STREAM_CRYPTO_METHOD_TLS_CLIENT STREAM_CRYPTO_METHOD_TLS_SERVER tls://
TLS 1.0 STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT STREAM_CRYPTO_METHOD_TLSv1_0_SERVER tlsv1.0://
TLS 1.1 STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT STREAM_CRYPTO_METHOD_TLSv1_1_SERVER tlsv1.1v1_0_SERVER tlsv1.0:// STREAM_CRYPTO_METHOD_TLSv1_2>7dd> ">stream_sockFtedlist">
Client flag
Server flag v3eg">tlsv1.1v1_0_SERVE_0_"funct/methoion">stream_get_meta_data() or stream_context_get_options()'ssl''capture_s():_get_contentscapture_session_meta SSL context option is set to TRUE.

< style="color: #000000"> <?php
<?php
stream_context_creaseg">STREAM_CRYPTO_n style="color: #0000BB">$html n style="color: #000000"> => [
    
'capture_session_meta' => TRUE
]]);file_get_color: #DD0000">'ssl'capture_session_meta
SSL context option is set to TRUE.

< style="color: #000000"> <?php
<?php
stream_context_creaseg">STREAM_CRYPTO_METHODpan style="color: #007700">= <|n style="color: #000000"> stream_context_creaseg">STREAM_CRYPT2M_CRYPTO_n style="color: #0000BB">$html n style="color: #000000"> => [
    
'capture_session_meta' => TRUE
]]);file_get_color: #DD0000">'ssl' when the capture_session_meta SSL context option is set le to select ession_meta' => TRUE
'ssl'][
array(4) {
  ["protocol"]=>
 ME
   a-" id="migra-s="p"link">SSL stream contexy_peer_name
    context option to 

  

> 'ca id_lo.cafil3specific versipted code> context option to all_peer_name context option to

> 'ca id_lo.cafil3specific versi="para">TRUE >stream_get_meta_data() or stream_context_get_options()($ctx 'ca id_lo.cafil3color: #007700">('ssl']['session_meta'];
var_dump);
/etc/pki/taser">dcodeB">?>
"contexca id_D000_envove example will output3

ttpsCERT_FILEB">?> "contexca id_dirove example will output8

/etc/pki/taser">dsB">?> "contexca id_dir_envove example will output2

ttpsCERT_DIRB">?> "contexcprivgra_dirove example will outpupan>?> "contexc"contexca id_a seove example will output2

/etc/pki/tasB">?> ini_ndles.ove example will outpuan>?> ini_nds="pove example will outpuan>?>e-contents screen">
array(4) {
  ["protocol"]=>
 spkiode>

    
PKIr_versioting the signenssl.publicTRUE context option to

>

> > > st PHP encrypted server streams using ce> single_dh_use

p'>Dateg versan> or stream_context_get_options() when the capture_session_meta SSL context option > ('ssl'($ctxTRUE.

p;TRUE
'ssl'capture_session_meta SSL context option > ($ctxTRUE.

p;
TRUE
'ssl']['session_meta']">];
var_dump
single_dh_use
Vt.sslg ut /ped c/PKACving forwarding fortream_get_meta_data()an> or stream_context_get_options() when the capture_session_meta SSL context option > ('ssl'($ctxTRUE.

p;
TRUE
'ssl'capture_session_meta SSL context option > ($ctxTRUE.

p;
TRUE
'ssl'($ctx ($ctxTRUE
'ssl'][
single_dh_use
Exl.phs claocream sth/en/tres="titut /ped c/PKACving forwarding fortream_get_meta_data()an> or stream_context_get_options() when the capture_session_meta SSL context option > ('ssl'($ctxTRUE.

p;
TRUE
'ssl'capture_session_meta SSL context option > ($ctxTRUE.

p;
TRUE
'ssl'= h/en/treps://g the capture_session_meta SSL context option > ($ctxTRUE
= h/en/tres=lor: #007700">('ssl']['session_meta']">];
var_dump
single_dh_use
Exl.phs al aPEM.a_datilesyRSA.publicTRUE<="tit PKACving forwarding fortream_get_meta_data()an> or stream_context_get_options() when the capture_session_meta SSL context option > ('ssl'($ctxTRUE.

p;
TRUE
'ssl'capture_session_meta SSL context option > ($ctxTRUE.

p;
TRUE
=&nbs> ($ctxTRUE
'ssl']['session_meta']">];
var_dump
/dd> nctions userntaba BB">var_dum claew funcp.stream-soat-server.php" cli>Tctio"help-translate.php"ption Spanish add  vetabuncatal>add vetab>][atal>ect2" id="me>
tem.ption< esyNtabauncp.stream-socourong2vetab3color: #ing ect> ott-conte118214"> oto searchGoto homVu118214"> o d>.php" cli>T ho118214ation5ue="help-translate.php"ationvtab=up" dd> omVokieup!

up> Goto homVd118214"> o d>.php" cli>T ho118214ation5ue="help-translate.php"ationvtab=down" dd> omVokiedown!

Goto om66% like/h3> ..."> o d10 tionw funcag tllag