From 943101fe71a115c4d3e709f95daabe24d4d8717a Mon Sep 17 00:00:00 2001 From: Jordi Kroon Date: Fri, 6 Mar 2026 23:49:54 +0100 Subject: [PATCH 1/3] use simpara --- language/context/ssl.xml | 524 +++++++++--------- .../openssl/functions/openssl-x509-verify.xml | 2 +- 2 files changed, 260 insertions(+), 266 deletions(-) diff --git a/language/context/ssl.xml b/language/context/ssl.xml index ef5ac318521d..c80725726430 100644 --- a/language/context/ssl.xml +++ b/language/context/ssl.xml @@ -9,276 +9,272 @@ &reftitle.description; - + Context options for ssl:// and tls:// transports. - + &reftitle.options; - - - - - peer_name - string - - - - Peer name to be used. If this value is not set, then the name is guessed - based on the hostname used when opening the stream. - - - - - - verify_peer - bool - - - - Require verification of SSL certificate used. - - - Defaults to &true;. - - - - - - verify_peer_name - bool - - - - Require verification of peer name. - - - Defaults to &true;. - - - - - - allow_self_signed - bool - - - - Allow self-signed certificates. Requires - verify_peer. - - - Defaults to &false; - - - - - - cafile - string - - - - Location of Certificate Authority file on local filesystem - which should be used with the verify_peer - context option to authenticate the identity of the remote peer. - - - - - - capath - string - - - - If cafile is not specified or if the certificate - is not found there, the directory pointed to by capath - is searched for a suitable certificate. capath - must be a correctly hashed certificate directory. - - - - - - local_cert - string - - - - Path to local certificate file on filesystem. It must be a - PEM encoded file which contains your certificate and - private key. It can optionally contain the certificate chain of issuers. - The private key also may be contained in a separate file specified - by local_pk. - - - - - - local_pk - string - - - - Path to local private key file on filesystem in case of separate - files for certificate (local_cert) and private key. - - - - - - passphrase - string - - - - Passphrase with which your local_cert file - was encoded. - - - - - - verify_depth - int - - - - Abort if the certificate chain is too deep. - - - Defaults to no verification. - - - - - - ciphers - string - - - - Sets the list of available ciphers. The format of the string is described - in ciphers(1). - - - Defaults to DEFAULT. - - - - - - capture_peer_cert - bool - - - - If set to &true; a peer_certificate context option - will be created containing the peer certificate. - - - - - - capture_peer_cert_chain - bool - - - - If set to &true; a peer_certificate_chain context - option will be created containing the certificate chain. - - - - - - SNI_enabled - bool - - - - If set to &true; server name indication will be enabled. Enabling SNI - allows multiple certificates on the same IP address. - - - - - - disable_compression - bool - - - - If set, disable TLS compression. This can help mitigate the CRIME attack - vector. - - - - - - peer_fingerprint - string | array - - - - Aborts when the remote certificate digest doesn't match the specified - hash. - - - When a string is used, the length will determine which hashing algorithm - is applied, either "md5" (32) or "sha1" (40). - - - When an array is used, the keys indicate the hashing algorithm name - and each corresponding value is the expected digest. - - - - - - security_level - int - - - - Sets the security level. If not specified the library default security level is used. - The security levels are described in - SSL_CTX_get_security_level(3). - - - Available as of PHP 7.2.0 and OpenSSL 1.1.0. - - - - - + + + + peer_name + string + + + + Peer name to be used. If this value is not set, then the name is guessed + based on the hostname used when opening the stream. + + + + + + verify_peer + bool + + + + Require verification of SSL certificate used. + + + Defaults to &true;. + + + + + + verify_peer_name + bool + + + + Require verification of peer name. + + + Defaults to &true;. + + + + + + allow_self_signed + bool + + + + Allow self-signed certificates. Requires + verify_peer. + + + Defaults to &false; + + + + + + cafile + string + + + + Location of Certificate Authority file on local filesystem + which should be used with the verify_peer + context option to authenticate the identity of the remote peer. + + + + + + capath + string + + + + If cafile is not specified or if the certificate + is not found there, the directory pointed to by capath + is searched for a suitable certificate. capath + must be a correctly hashed certificate directory. + + + + + + local_cert + string + + + + Path to local certificate file on filesystem. It must be a + PEM encoded file which contains your certificate and + private key. It can optionally contain the certificate chain of issuers. + The private key also may be contained in a separate file specified + by local_pk. + + + + + + local_pk + string + + + + Path to local private key file on filesystem in case of separate + files for certificate (local_cert) and private key. + + + + + + passphrase + string + + + + Passphrase with which your local_cert file + was encoded. + + + + + + verify_depth + int + + + + Abort if the certificate chain is too deep. + + + Defaults to no verification. + + + + + + ciphers + string + + + + Sets the list of available ciphers. The format of the string is described + in ciphers(1). + + + Defaults to DEFAULT. + + + + + + capture_peer_cert + bool + + + + If set to &true; a peer_certificate context option + will be created containing the peer certificate. + + + + + + capture_peer_cert_chain + bool + + + + If set to &true; a peer_certificate_chain context + option will be created containing the certificate chain. + + + + + + SNI_enabled + bool + + + + If set to &true; server name indication will be enabled. Enabling SNI + allows multiple certificates on the same IP address. + + + + + + disable_compression + bool + + + + If set, disable TLS compression. This can help mitigate the CRIME attack + vector. + + + + + + peer_fingerprint + string | array + + + + Aborts when the remote certificate digest doesn't match the specified + hash. + + + When a string is used, the length will determine which hashing algorithm + is applied, either "md5" (32) or "sha1" (40). + + + When an array is used, the keys indicate the hashing algorithm name + and each corresponding value is the expected digest. + + + + + + security_level + int + + + + Sets the security level. If not specified the library default security level is used. + The security levels are described in + SSL_CTX_get_security_level(3). + + + Available as of PHP 7.2.0 and OpenSSL 1.1.0. + + + + &reftitle.changelog; - - - - - - &Version; - &Description; - - - - - 7.2.0 - - Added security_level. Requires OpenSSL >= 1.1.0. - - - - - - + + + + + &Version; + &Description; + + + + + 7.2.0 + + Added security_level. Requires OpenSSL >= 1.1.0. + + + + + @@ -304,11 +300,9 @@ &reftitle.seealso; - - - - - + + + diff --git a/reference/openssl/functions/openssl-x509-verify.xml b/reference/openssl/functions/openssl-x509-verify.xml index 777de52c1b8a..cc084e6a7e4f 100644 --- a/reference/openssl/functions/openssl-x509-verify.xml +++ b/reference/openssl/functions/openssl-x509-verify.xml @@ -97,7 +97,7 @@ $ssloptions = array( "CN_match" => $hostname, "verify_peer" => true, "SNI_enabled" => true, - "SNI_server_name" => $hostname, + "peer_name" => $hostname, ); $ctx = stream_context_create( array("ssl" => $ssloptions) ); From c4b49a86de39a6f867eb8a76575ae9a0934f179e Mon Sep 17 00:00:00 2001 From: Jordi Kroon Date: Sat, 7 Mar 2026 00:14:09 +0100 Subject: [PATCH 2/3] document missing SSL context options --- language/context/ssl.xml | 69 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/language/context/ssl.xml b/language/context/ssl.xml index c80725726430..2d4275463373 100644 --- a/language/context/ssl.xml +++ b/language/context/ssl.xml @@ -204,6 +204,43 @@ + + + SNI_server_certs + array + + + + An array of server names and their corresponding certificates to be used + for SNI. The keys are the server names and the values are the paths to + the certificate files on the local filesystem. The certificate files must + be PEM encoded and contain both the certificate and private key. + + + + + + alpn_protocols + array + + + + An array of application layer protocol names to be used for ALPN (Application-Layer Protocol Negotiation). + The values are the protocol names as strings (e.g. "http/1.1", "h2"). + + + + + + no_ticket + bool + + + + If set, disable TLS session tickets. This can help to enhance security by providing Perfect Forward Secrecy (PFS). + + + disable_compression @@ -252,6 +289,38 @@ + + + min_proto_version + int + + + + Sets the minimum protocol version allowed. If not specified the library default + minimum protocol version is used. The protocol versions are described in + SSL_CTX_set_min_proto_version(3). + + + Available as of PHP 8.0.0 and OpenSSL 1.1.1. + + + + + + max_proto_version + int + + + + Sets the maximum protocol version allowed. If not specified the library default + maximum protocol version is used. The protocol versions are described in + SSL_CTX_set_min_proto_version(3). + + + Available as of PHP 8.0.0 and OpenSSL 1.1.1. + + + From 8151b5115143067f12d35af285b315e035efa774 Mon Sep 17 00:00:00 2001 From: Jordi Kroon Date: Mon, 9 Mar 2026 19:53:51 +0100 Subject: [PATCH 3/3] use correct versions in changelog --- language/context/ssl.xml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/language/context/ssl.xml b/language/context/ssl.xml index 2d4275463373..8b838026d945 100644 --- a/language/context/ssl.xml +++ b/language/context/ssl.xml @@ -228,6 +228,9 @@ An array of application layer protocol names to be used for ALPN (Application-Layer Protocol Negotiation). The values are the protocol names as strings (e.g. "http/1.1", "h2"). + + Available as of PHP 7.0.0 and OpenSSL 1.0.2. + @@ -301,7 +304,7 @@ SSL_CTX_set_min_proto_version(3). - Available as of PHP 8.0.0 and OpenSSL 1.1.1. + Available as of PHP 7.3.0 and OpenSSL 1.1.1. @@ -317,7 +320,7 @@ SSL_CTX_set_min_proto_version(3). - Available as of PHP 8.0.0 and OpenSSL 1.1.1. + Available as of PHP 7.3.0 and OpenSSL 1.1.1.