DEVHIDE
Login Or Sign up

PHP server-side SNI support

2.7k Views Asked by At

I read a lot of php manpages but only found information about SNI support in contexts - http://www.php.net/manual/en/context.ssl.php

Is it possible to obtain SNI send by browser when PHP is working as a server? Server is created using standard stream_socket_server() as described in eg. this post: http://www.php.net/manual/en/function.stream-socket-server.php#98616

php ssl https php-openssl
Original Q&A
1

There are 1 best solutions below

0
On

Yes, server-side SNI support is available in PHP >= 5.6

Example Usage:

$ctx = stream_context_create(["ssl" => [
    "local_cert" => "/path/to/cert.pem",
    "SNI_server_certs" => [
        "domain1.com" => "/path/to/domain1.pem",
        "*.domain2.com" => "/path/to/domain2.pem",
        "domain3.com" => "/path/to/domain3.pem"
    ]
]]);

Notes:

  • The "SNI_server_certs" SSL context option maps host names to appropriate certs should a client handshake advertise SNI capability.
  • Prefixing a *. will utilize the matching cert if a client requests the primary host name or any subdomain thereof. So in the above example our domain2.pem will be used both for requests to domain2.com and subdomain.domain2.com
  • The "SNI_server_certs" ctx option has no effect for client streams.
  • SNI support is enabled by default as of 5.6 for both servers and clients. Servers must specify the "SNI_server_certs" array to actually use the SNI extension, though.
  • If the "SNI_enabled" => false ctx option is also passed then the "SNI_server_certs" array has no effect.
  • While supporting SNI by itself is enough to successfully negotiate the TLS handshake with many clients, servers MUST still specify a "local_cert" ctx option or run the risk of connection failures from clients that do not support the SNI extension.

Prior to PHP 5.6 server-side SNI is not possible ...

This is because encrypted PHP servers currently only use a single OpenSSL SSL_CTX C struct internally. Deploying SNI in a server requires a separate SSL_CTX for each individual certificate you wish to present.

Other New 5.6 TLS Features

There are quite a few SSL/TLS improvements for encrypted servers in the forthcoming PHP 5.6 release beyond SNI support. You can read about some of them here:

Related Questions in PHP

Related Questions in SSL

Related Questions in HTTPS

Related Questions in PHP-OPENSSL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.