PHP SSL context options

PHPServer Side ProgrammingProgramming

Introduction

List of Context options for ssl:// and tls:// transports.

peer_namePeer name to be used. If this value is not set, then the name is guessed based on the hostname used when opening the stream.
verify_peerRequire verification of SSL certificate used. Defaults to TRUE.
verify_peer_nameRequire verification of peer name. Defaults to TRUE.
allow_self_signedAllow self-signed certificates. Requires verify_peer. Defaults to FALSE
cafileLocation of Certificate Authority file on local filesystem to be used to authenticate identity of remote peer.
capathmust be a correctly hashed certificate directory.
local_certPath to local certificate file on filesystem.
local_pkPath to local private key file on filesystem in case of separate files for certificate and private key.
passphrasePassphrase with which your local_cert file was encoded.
CN_matchCommon Name we are expecting. If the Common Name does not match, connection attempt will fail.
verify_depthAbort if the certificate chain is too deep.
ciphersSets the list of available ciphers. The format of the string is described in » ciphers(1).
capture_peer_certIf set to TRUE a peer_certificate context option will be created containing the peer certificate.
capture_peer_cert_chainIf set to TRUE a peer_certificate_chain context option will be created containing the certificate chain.
SNI_enabledIf set to TRUE server name indication will be enabled.
SNI_server_nameIf set, this value will be used as server name for server name indication. Otherwise server name is guessed based on the hostname used
disable_compressionIf set, disable TLS compression.
peer_fingerprintAborts when the remote certificate digest doesn't match the specified hash.
security_levelSets the security level. If not specified,default security level is used. Available as of PHP 7.2.0 and OpenSSL 1.1.0.

Example

This example shows SSL context settings.

$stream_context = stream_context_create([ 'ssl' => [
   'local_cert' => '/path/to/key.pem',
   'peer_fingerprint' => openssl_x509_fingerprint(file_get_contents('/path/to/key.crt')),
   'verify_peer' => false,
   'verify_peer_name' => false,
   'allow_self_signed' => true,
   'verify_depth' => 0 ]]);
raja
Published on 21-Sep-2020 14:43:40
Advertisements