PHP server-side SNI support

Question

I read a lot of php manpages but only found information about SNI support in contexts - http://www.php.net/manual/en/context.ssl.php

Is it possible to obtain SNI send by browser when PHP is working as a server? Server is created using standard stream_socket_server() as described in eg. this post: http://www.php.net/manual/en/function.stream-socket-server.php#98616

Answer 1

Yes, server-side SNI support is available in PHP >= 5.6

• Here's the relevant commit ^github if you're interested.

Example Usage:

$ctx = stream_context_create(["ssl" => [
    "local_cert" => "/path/to/cert.pem",
    "SNI_server_certs" => [
        "domain1.com" => "/path/to/domain1.pem",
        "*.domain2.com" => "/path/to/domain2.pem",
        "domain3.com" => "/path/to/domain3.pem"
    ]
]]);

Notes:

• The "SNI_server_certs" SSL context option maps host names to appropriate certs should a client handshake advertise SNI capability.
• Prefixing a *. will utilize the matching cert if a client requests the primary host name or any subdomain thereof. So in the above example our domain2.pem will be used both for requests to domain2.com and subdomain.domain2.com
• The "SNI_server_certs" ctx option has no effect for client streams.
• SNI support is enabled by default as of 5.6 for both servers and clients. Servers must specify the "SNI_server_certs" array to actually use the SNI extension, though.
• If the "SNI_enabled" => false ctx option is also passed then the "SNI_server_certs" array has no effect.
• While supporting SNI by itself is enough to successfully negotiate the TLS handshake with many clients, servers MUST still specify a "local_cert" ctx option or run the risk of connection failures from clients that do not support the SNI extension.

Prior to PHP 5.6 server-side SNI is not possible ...

This is because encrypted PHP servers currently only use a single OpenSSL SSL_CTX C struct internally. Deploying SNI in a server requires a separate SSL_CTX for each individual certificate you wish to present.

Other New 5.6 TLS Features

There are quite a few SSL/TLS improvements for encrypted servers in the forthcoming PHP 5.6 release beyond SNI support. You can read about some of them here:

• [RFC] Improved TLS Defaults
• PHP 5.6 NEWS file