"capture_peer_cert" and "capture_peer_cert_chain"
If true, the peer certificate and peer certificate chain respectively will be
captured and made available in the ssl context variables "peer_certificate" and
"peer_certificate_chain" respectively. The certificates are exposed as x509
certificate resources and can be inspected using the existing openssl extension
functions.
This allows applications to perform extended validation.
of a file that will be filled with the verified data, but with the signature
information stripped.
Patch by Marton Kenyeres, mkenyeres (at) konvergencia dot hu
Allow for non-blocking negotiation when calling stream_socket_enable_crypto().
That function will return the foolowing values:
false - negotiation failed
0 - try again when more data is available (only for non-blocking sockets)
true - ssl was enabled
We avoid the problem by using poll(2).
On systems without poll(2) (older bsd-ish systems, and win32), we emulate
poll(2) using select(2) and check for valid descriptors before attempting
to access them via the descriptor sets.
If an out-of-range descriptor is detected, an E_WARNING is raised suggesting
that PHP should be recompiled with a larger FD_SETSIZE (and also with a
suggested value).
Most uses of select(2) in the source are to poll a single descriptor, so
a couple of handy wrapper functions have been added to make this easier.
A configure option --enable-fd-setsize has been added to both the unix and
win32 builds; on unix we default to 16384 and on windows we default to 256.
Windows FD_SETSIZE imposes a limit on the maximum number of descriptors that
can be select()ed at once, whereas the unix FD_SETSIZE limit is based on the
highest numbered descriptor; 256 should be plenty for PHP scripts under windows
(the default OS setting is 64).
The win32 specific parts are untested; will do that now.
enable SSL on the accepted socket.
- Add cipher list context option
- Add helpful hint about why SSL server socket fails with mysterious
error (eg: you need an SSL certificate for most ciphers).
algorithm to use. (Patch by Scott <scott@planetscott.ca>)
@- Added optional parameter to openssl_sign() to specify the hashing
@ algorithm to use. (scott@planetscott.ca, Derick)
. stream_socket_client() - similar to fsockopen(), but more powerful.
. stream_socket_server() - Creates a server socket.
. stream_socket_accept() - Accept a client connection.
. stream_socket_get_name() - Get local or remote name of socket.
Tidy up some leaks and debug printfs.
Move more streams functions into streamsfuncs.c and streamsfuncs.h.
Main Changes:
- Implement a socket transport layer for use by all code that needs to open
some kind of "special" socket for network or IPC.
- Extensions can register (and override) transports.
- Implement ftruncate() on streams via the ioctl-alike option interface.
- Implement mmap() on streams via the ioctl-alike option interface.
- Implement generic crypto API via the ioctl-alike option interface.
(currently only supports OpenSSL, but could support other SSL toolkits,
and other crypto transport protocols).
Impact:
- tcp sockets can be overloaded by the openssl capable sockets at runtime,
removing the link-time requirement for ssl:// and https:// sockets and
streams.
- checking stream types using PHP_STREAM_IS_SOCKET is deprecated, since
there are now a range of possible socket-type streams.
Working towards:
- socket servers using the new transport layer
- mmap support under win32
- Cleaner code.
# I will be updating the win32 build to add the new files shortly
# after this commit.
cipher. The cipher can be one of the constants listed below.
Based on a patch from:
stefan at cuba dot ionum dot ch
OPENSSL_CIPHER_RC2_40, (the default)
OPENSSL_CIPHER_RC2_128,
OPENSSL_CIPHER_RC2_64,
OPENSSL_CIPHER_DES,
OPENSSL_CIPHER_3DES,
proto bool openssl_pkcs7_encrypt(string infile, string outfile,
mixed recipcerts, array headers [, long flags [, long cipher]])
