diff --git a/language/context/ssl.xml b/language/context/ssl.xml
index ef5ac318521d..8b838026d945 100644
--- a/language/context/ssl.xml
+++ b/language/context/ssl.xml
@@ -9,276 +9,344 @@
&reftitle.description;
-
+
Context options for ssl:// and tls://
transports.
-
+
&reftitle.options;
-
-
-
-
- peer_name
- string
-
-
-
- Peer name to be used. If this value is not set, then the name is guessed
- based on the hostname used when opening the stream.
-
-
-
-
-
- verify_peer
- bool
-
-
-
- Require verification of SSL certificate used.
-
-
- Defaults to &true;.
-
-
-
-
-
- verify_peer_name
- bool
-
-
-
- Require verification of peer name.
-
-
- Defaults to &true;.
-
-
-
-
-
- allow_self_signed
- bool
-
-
-
- Allow self-signed certificates. Requires
- verify_peer.
-
-
- Defaults to &false;
-
-
-
-
-
- cafile
- string
-
-
-
- Location of Certificate Authority file on local filesystem
- which should be used with the verify_peer
- context option to authenticate the identity of the remote peer.
-
-
-
-
-
- capath
- string
-
-
-
- If cafile is not specified or if the certificate
- is not found there, the directory pointed to by capath
- is searched for a suitable certificate. capath
- must be a correctly hashed certificate directory.
-
-
-
-
-
- local_cert
- string
-
-
-
- Path to local certificate file on filesystem. It must be a
- PEM encoded file which contains your certificate and
- private key. It can optionally contain the certificate chain of issuers.
- The private key also may be contained in a separate file specified
- by local_pk.
-
-
-
-
-
- local_pk
- string
-
-
-
- Path to local private key file on filesystem in case of separate
- files for certificate (local_cert) and private key.
-
-
-
-
-
- passphrase
- string
-
-
-
- Passphrase with which your local_cert file
- was encoded.
-
-
-
-
-
- verify_depth
- int
-
-
-
- Abort if the certificate chain is too deep.
-
-
- Defaults to no verification.
-
-
-
-
-
- ciphers
- string
-
-
-
- Sets the list of available ciphers. The format of the string is described
- in ciphers(1).
-
-
- Defaults to DEFAULT.
-
-
-
-
-
- capture_peer_cert
- bool
-
-
-
- If set to &true; a peer_certificate context option
- will be created containing the peer certificate.
-
-
-
-
-
- capture_peer_cert_chain
- bool
-
-
-
- If set to &true; a peer_certificate_chain context
- option will be created containing the certificate chain.
-
-
-
-
-
- SNI_enabled
- bool
-
-
-
- If set to &true; server name indication will be enabled. Enabling SNI
- allows multiple certificates on the same IP address.
-
-
-
-
-
- disable_compression
- bool
-
-
-
- If set, disable TLS compression. This can help mitigate the CRIME attack
- vector.
-
-
-
-
-
- peer_fingerprint
- string | array
-
-
-
- Aborts when the remote certificate digest doesn't match the specified
- hash.
-
-
- When a string is used, the length will determine which hashing algorithm
- is applied, either "md5" (32) or "sha1" (40).
-
-
- When an array is used, the keys indicate the hashing algorithm name
- and each corresponding value is the expected digest.
-
-
-
-
-
- security_level
- int
-
-
-
- Sets the security level. If not specified the library default security level is used.
- The security levels are described in
- SSL_CTX_get_security_level(3).
-
-
- Available as of PHP 7.2.0 and OpenSSL 1.1.0.
-
-
-
-
-
+
+
+
+ peer_name
+ string
+
+
+
+ Peer name to be used. If this value is not set, then the name is guessed
+ based on the hostname used when opening the stream.
+
+
+
+
+
+ verify_peer
+ bool
+
+
+
+ Require verification of SSL certificate used.
+
+
+ Defaults to &true;.
+
+
+
+
+
+ verify_peer_name
+ bool
+
+
+
+ Require verification of peer name.
+
+
+ Defaults to &true;.
+
+
+
+
+
+ allow_self_signed
+ bool
+
+
+
+ Allow self-signed certificates. Requires
+ verify_peer.
+
+
+ Defaults to &false;
+
+
+
+
+
+ cafile
+ string
+
+
+
+ Location of Certificate Authority file on local filesystem
+ which should be used with the verify_peer
+ context option to authenticate the identity of the remote peer.
+
+
+
+
+
+ capath
+ string
+
+
+
+ If cafile is not specified or if the certificate
+ is not found there, the directory pointed to by capath
+ is searched for a suitable certificate. capath
+ must be a correctly hashed certificate directory.
+
+
+
+
+
+ local_cert
+ string
+
+
+
+ Path to local certificate file on filesystem. It must be a
+ PEM encoded file which contains your certificate and
+ private key. It can optionally contain the certificate chain of issuers.
+ The private key also may be contained in a separate file specified
+ by local_pk.
+
+
+
+
+
+ local_pk
+ string
+
+
+
+ Path to local private key file on filesystem in case of separate
+ files for certificate (local_cert) and private key.
+
+
+
+
+
+ passphrase
+ string
+
+
+
+ Passphrase with which your local_cert file
+ was encoded.
+
+
+
+
+
+ verify_depth
+ int
+
+
+
+ Abort if the certificate chain is too deep.
+
+
+ Defaults to no verification.
+
+
+
+
+
+ ciphers
+ string
+
+
+
+ Sets the list of available ciphers. The format of the string is described
+ in ciphers(1).
+
+
+ Defaults to DEFAULT.
+
+
+
+
+
+ capture_peer_cert
+ bool
+
+
+
+ If set to &true; a peer_certificate context option
+ will be created containing the peer certificate.
+
+
+
+
+
+ capture_peer_cert_chain
+ bool
+
+
+
+ If set to &true; a peer_certificate_chain context
+ option will be created containing the certificate chain.
+
+
+
+
+
+ SNI_enabled
+ bool
+
+
+
+ If set to &true; server name indication will be enabled. Enabling SNI
+ allows multiple certificates on the same IP address.
+
+
+
+
+
+ SNI_server_certs
+ array
+
+
+
+ An array of server names and their corresponding certificates to be used
+ for SNI. The keys are the server names and the values are the paths to
+ the certificate files on the local filesystem. The certificate files must
+ be PEM encoded and contain both the certificate and private key.
+
+
+
+
+
+ alpn_protocols
+ array
+
+
+
+ An array of application layer protocol names to be used for ALPN (Application-Layer Protocol Negotiation).
+ The values are the protocol names as strings (e.g. "http/1.1", "h2").
+
+
+ Available as of PHP 7.0.0 and OpenSSL 1.0.2.
+
+
+
+
+
+ no_ticket
+ bool
+
+
+
+ If set, disable TLS session tickets. This can help to enhance security by providing Perfect Forward Secrecy (PFS).
+
+
+
+
+
+ disable_compression
+ bool
+
+
+
+ If set, disable TLS compression. This can help mitigate the CRIME attack
+ vector.
+
+
+
+
+
+ peer_fingerprint
+ string | array
+
+
+
+ Aborts when the remote certificate digest doesn't match the specified
+ hash.
+
+
+ When a string is used, the length will determine which hashing algorithm
+ is applied, either "md5" (32) or "sha1" (40).
+
+
+ When an array is used, the keys indicate the hashing algorithm name
+ and each corresponding value is the expected digest.
+
+
+
+
+
+ security_level
+ int
+
+
+
+ Sets the security level. If not specified the library default security level is used.
+ The security levels are described in
+ SSL_CTX_get_security_level(3).
+
+
+ Available as of PHP 7.2.0 and OpenSSL 1.1.0.
+
+
+
+
+
+ min_proto_version
+ int
+
+
+
+ Sets the minimum protocol version allowed. If not specified the library default
+ minimum protocol version is used. The protocol versions are described in
+ SSL_CTX_set_min_proto_version(3).
+
+
+ Available as of PHP 7.3.0 and OpenSSL 1.1.1.
+
+
+
+
+
+ max_proto_version
+ int
+
+
+
+ Sets the maximum protocol version allowed. If not specified the library default
+ maximum protocol version is used. The protocol versions are described in
+ SSL_CTX_set_min_proto_version(3).
+
+
+ Available as of PHP 7.3.0 and OpenSSL 1.1.1.
+
+
+
+
&reftitle.changelog;
-
-
-
-
-
- &Version;
- &Description;
-
-
-
-
- 7.2.0
-
- Added security_level. Requires OpenSSL >= 1.1.0.
-
-
-
-
-
-
+
+
+
+
+ &Version;
+ &Description;
+
+
+
+
+ 7.2.0
+
+ Added security_level. Requires OpenSSL >= 1.1.0.
+
+
+
+
+
@@ -304,11 +372,9 @@
&reftitle.seealso;
-
-
-
-
-
+
+
+
diff --git a/reference/openssl/functions/openssl-x509-verify.xml b/reference/openssl/functions/openssl-x509-verify.xml
index 777de52c1b8a..cc084e6a7e4f 100644
--- a/reference/openssl/functions/openssl-x509-verify.xml
+++ b/reference/openssl/functions/openssl-x509-verify.xml
@@ -97,7 +97,7 @@ $ssloptions = array(
"CN_match" => $hostname,
"verify_peer" => true,
"SNI_enabled" => true,
- "SNI_server_name" => $hostname,
+ "peer_name" => $hostname,
);
$ctx = stream_context_create( array("ssl" => $ssloptions) );