mirror of
https://github.com/php/php-src.git
synced 2024-09-26 20:37:29 +00:00
fad14e3180
- New "SNI_server_certs" context option maps host names to appropriate certs should client handshakes advertise the SNI extension: $ctx = stream_context_create(["ssl" => [ "local_cert" => "/path/to/cert.pem", "SNI_server_certs" => [ "domain1.com" => "/path/to/domain1.pem", "*.domain2.com" => "/path/to/domain2.pem", "domain3.com" => "/path/to/domain3.pem" ] ]]); - Prefixing a "*." will utilize the matching cert if a client requests the primary host name or any subdomain thereof. So in the above example our "domain2.pem" will be used for both requests to "domain2.com" -and- "subdomain.domain2.com" - The "SNI_server_certs" ctx option has no effect for client streams. - SNI support is enabled by default as of 5.6 for both servers and clients. Servers must specify the "SNI_server_certs" array to actually use the SNI extension, though. - If the `"SNI_enabled" => false` ctx option is also passed then "SNI_server_certs" has no effect. - While supporting SNI by itself is enough to successfully negotiate the TLS handshake with many clients, servers MUST still specify a "local_cert" ctx option or run the risk of connection failures from clients that do not support the SNI extension.
61 lines
2.0 KiB
PHP
61 lines
2.0 KiB
PHP
--TEST--
|
|
sni_server
|
|
--SKIPIF--
|
|
<?php
|
|
if (!extension_loaded("openssl")) die("skip openssl not loaded");
|
|
--FILE--
|
|
<?php
|
|
$serverCode = <<<'CODE'
|
|
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
|
|
$ctx = stream_context_create(['ssl' => [
|
|
'local_cert' => __DIR__ . '/domain1.pem',
|
|
'SNI_server_certs' => [
|
|
"domain1.com" => __DIR__ . "/sni_server_domain1.pem",
|
|
"domain2.com" => __DIR__ . "/sni_server_domain2.pem",
|
|
"domain3.com" => __DIR__ . "/sni_server_domain3.pem"
|
|
]
|
|
]]);
|
|
|
|
$server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
|
|
phpt_notify();
|
|
|
|
for ($i=0; $i < 3; $i++) {
|
|
@stream_socket_accept($server, 3);
|
|
}
|
|
CODE;
|
|
|
|
$clientCode = <<<'CODE'
|
|
$flags = STREAM_CLIENT_CONNECT;
|
|
$ctxArr = [
|
|
'cafile' => __DIR__ . '/sni_server_ca.pem',
|
|
'capture_peer_cert' => true
|
|
];
|
|
|
|
phpt_wait();
|
|
|
|
$ctxArr['peer_name'] = 'domain1.com';
|
|
$ctx = stream_context_create(['ssl' => $ctxArr]);
|
|
$client = stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
|
|
$cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
|
|
var_dump(openssl_x509_parse($cert)['subject']['CN']);
|
|
|
|
$ctxArr['peer_name'] = 'domain2.com';
|
|
$ctx = stream_context_create(['ssl' => $ctxArr]);
|
|
$client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
|
|
$cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
|
|
var_dump(openssl_x509_parse($cert)['subject']['CN']);
|
|
|
|
$ctxArr['peer_name'] = 'domain3.com';
|
|
$ctx = stream_context_create(['ssl' => $ctxArr]);
|
|
$client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
|
|
$cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
|
|
var_dump(openssl_x509_parse($cert)['subject']['CN']);
|
|
CODE;
|
|
|
|
include 'ServerClientTestCase.inc';
|
|
ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
|
|
--EXPECTF--
|
|
string(%d) "domain1.com"
|
|
string(%d) "domain2.com"
|
|
string(%d) "domain3.com"
|