Add encrypted server SNI support

Programming / Compilers / PHP - Daniel Lowrey [php.net] - 5 March 2014 11:03 UTC

- New "SNI_server_certs" context option maps host names to appropriate certs should client handshakes advertise the SNI extension:

$ctx = stream_context_create(["ssl" => [ "local_cert" => "/path/to/cert.pem", "SNI_server_certs" => [ "domain1.com" => "/path/to/domain1.pem", "*.domain2.com" => "/path/to/domain2.pem", "domain3.com" => "/path/to/domain3.pem" ] ]]);

- Prefixing a "*." will utilize the matching cert if a client requests the primary host name or any subdomain thereof. So in the above example our "domain2.pem" will be used for both requests to "domain2.com" -and- "subdomain.domain2.com"- The "SNI_server_certs" ctx option has no effect for client streams.- SNI support is enabled by default as of 5.6 for both servers and clients. Servers must specify the "SNI_server_certs" array to actually use the SNI extension, though.- If the `"SNI_enabled" => false` ctx option is also passed then "SNI_server_certs" has no effect.- While supporting SNI by itself is enough to successfully negotiate the TLS handshake with many clients, servers MUST still specify a "local_cert" ctx option or run the risk of connection failures from clients that do not support the SNI extension.

fad14e3 Add encrypted server SNI support
ext/openssl/tests/sni_server.phpt | 60 ++++++++++++
ext/openssl/tests/sni_server_ca.pem | 63 +++++++++++++
ext/openssl/tests/sni_server_domain1.pem | 82 +++++++++++++++++
ext/openssl/tests/sni_server_domain2.pem | 82 +++++++++++++++++
ext/openssl/tests/sni_server_domain3.pem | 82 +++++++++++++++++
ext/openssl/xp_ssl.c | 147 ++++++++++++++++++++++++++++++
6 files changed, 516 insertions(+)

Upstream: github.com


  • Share