Allow setting SNI cert and pk in separate files

NEWS

@@ -57,6 +57,7 @@ PHP                                                                        NEWS
     (Nikita, Dmitry)
 
 - OpenSSL:
+  . Allow setting SNI cert and private key in separate files. (Jakub Zelenka)
   . Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()).
     (Stas)
 

ext/openssl/tests/sni_server_domain1_cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSDCCAzACAQEwDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAlNDMRUwEwYDVQQHDAxNeXJ0bGUgQmVhY2gxHjAcBgNVBAoMFXBocC50ZXN0
+cyBzdWJvcmRpbmF0ZTEeMBwGA1UEAwwVcGhwLnRlc3RzLnN1Ym9yZGluYXRlMB4X
+DTE0MDMwNTE0MjgwOFoXDTI0MDMwMjE0MjgwOFowYzELMAkGA1UEBhMCVVMxFTAT
+BgNVBAgMDE15cnRsZSBCZWFjaDELMAkGA1UEBwwCU0MxGjAYBgNVBAoMEWRvbWFp
+bjEgdGVzdCBjZXJ0MRQwEgYDVQQDDAtkb21haW4xLmNvbTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAJwmiDb308e7/g1DA+cyS4PvJRCbMRrezkIxJhZB
+FJsK189SORNva3JAUv5QjRujbxBurjbcYF6M+nC5TsC/XHRxkijwzmBxmuyTfhBo
+jJ0nGSzXPWqNaLry3QWuZb+s3KArumD8PeQJ2ejxxB4/JhXJFrZhY1dev3YgdUkf
+cA6SMMnu5pyZVUVADM6wAVTQ2j1Kqo/Bvsa9NjKOqU19cBh4EMk0f6TTh2RogwwV
+3ljQ7hATb02LQVl11zKxgt+h00kfijJQ4xX5gk2/stLPCC0+z2oMeixaLp/fUm4V
+0La8Av9LFEebcqjq4FY9XW7iklrkmolmDCWV2hSpJ3ZAk0C4jwg5bRzne6aWJkbf
+OPFqik24zlYaY8Y4buK3x8N8p4UDQudDf44lYigXKabUIV+HDDZbV7CVyNIa+nVi
+Nv+q+6KfY9rsTh7Yc5y3o7B3BpluthfMKVGcQE/Mrr03BDM8fh43S8gbvjf7ewRy
+pOPpyADfBtuupk+AY0ix3HZ8uCfFK1aAbw3lu6EJHb4ZbiKJmmxiYN8JJ542Pf0G
+7IggHEdOR2diBK3plPVZt7qIAMAQVpNmExLiLjW5vEwB6n049T5MV0ROmEy/dO3x
+WTHMP/t5zmBEakuBVeTrzaqDSC1sZdHQWGga7UcITBGGRQyuYw3NTraJaRdO7OOS
+cG2pAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAJ3pMaMcWaW5TJ1QV58npS/F7Ao7
+mciFMQ+KiQ6E5TJ/S37EfR/r5+mqQodM6Zvs07x4k2HdwcuI0cdpddLKfIH2znDW
+pJY1nEKI9W/pz9pEj3TBu9M3QAPzWVwYyBaJzVJGIll1yYVQVNGneHF8YpWQo+Ow
+yg97x1220oUSAlJ9zUwwls6QjJCo95PcClV9ZK6A+H17v+kwzBco7DwGhoxy3s+n
+D9+LjDa5Z6yk7Y1h+I4kIExenjuXT1wgQatruR8MBl8MX+KKeAi4neRdCBiDceHs
+zzO0f+IBNiF1J8THokV81i7DMbsHRGv28r3rcQpalDK9/rcBRVXUl0Kw8ZDQJLaS
+C1EuAcqw8TgvZOAhw431EpZW7Beek4xvrwTSzrF1XhlbD/1Jm8YAjGQyO138qzq2
+p40NRXgGL3rT6LEDcUVjL9D2z/7Tu7G9g17vleEzBC13ILnAOg/UFsZ4BuGNCnxa
+3PiJ7QaDBL0UA4uUuXjVgGTFzeDaTJbNCybcTKI7rD4zAa/4d05364gA3S1XJU66
+tH24Z3ncMBrh1GrsX4z6vLkNyb7m2wBqWBuyuVidm7rPcMGoggbrAsIP5vPjIMdg
+GR+ghPgzhJsbEg/WoSxv8+oljAJT2I1A53ulJaL4w6S/Ku1yEQ01Xk4vZEBJHAAw
+TJxrq625wwS0cKQd
+-----END CERTIFICATE-----

ext/openssl/tests/sni_server_domain1_key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAnCaINvfTx7v+DUMD5zJLg+8lEJsxGt7OQjEmFkEUmwrXz1I5
+E29rckBS/lCNG6NvEG6uNtxgXoz6cLlOwL9cdHGSKPDOYHGa7JN+EGiMnScZLNc9
+ao1ouvLdBa5lv6zcoCu6YPw95AnZ6PHEHj8mFckWtmFjV16/diB1SR9wDpIwye7m
+nJlVRUAMzrABVNDaPUqqj8G+xr02Mo6pTX1wGHgQyTR/pNOHZGiDDBXeWNDuEBNv
+TYtBWXXXMrGC36HTSR+KMlDjFfmCTb+y0s8ILT7Pagx6LFoun99SbhXQtrwC/0sU
+R5tyqOrgVj1dbuKSWuSaiWYMJZXaFKkndkCTQLiPCDltHOd7ppYmRt848WqKTbjO
+Vhpjxjhu4rfHw3ynhQNC50N/jiViKBcpptQhX4cMNltXsJXI0hr6dWI2/6r7op9j
+2uxOHthznLejsHcGmW62F8wpUZxAT8yuvTcEMzx+HjdLyBu+N/t7BHKk4+nIAN8G
+266mT4BjSLHcdny4J8UrVoBvDeW7oQkdvhluIomabGJg3wknnjY9/QbsiCAcR05H
+Z2IEremU9Vm3uogAwBBWk2YTEuIuNbm8TAHqfTj1PkxXRE6YTL907fFZMcw/+3nO
+YERqS4FV5OvNqoNILWxl0dBYaBrtRwhMEYZFDK5jDc1OtolpF07s45JwbakCAwEA
+AQKCAgASxm9KbLICKhB597zYZ6u8yVxjisV0vaV/P/mcY2be3YblXrWOKK96pVFV
+UsoksJoCF8zKu+S6eakDNMTLWDb9qUoxsgKehgpit7lIr8l4e+MDCT5ROX+GOv1o
+WXfSfC5q89cNIkcuzCBvaeJy4JTruaoJc9xF/RZ4VZ7ElAsdNWa4YQlJewZNtU3U
+7ES8tgAHrpqjfmA59TY3DgA9WP/JcWZTSwSuBOEaqZZYNajudPCq7itL35qT7x9Y
+8Q8TZJnLCQfM1Pz4/28zegE+Z7ZL+mlmDuoBuzYv8uIuamEWF7UkjRp7Ia2/sb4X
+oHlDg+qlEyehrat4OXRnV49vIIST64cxQw3v9mGZr1mCxyrfGbRvPw99CSwjdCju
+LSuzYlr5w/ZVKsVGKB1mvowxzKJ89Njhdv+QlHpqrodSgCTFzm2A6dwoEQ9bQFd/
+OH7pG9YOu5jf66MFnV60AiImGBZCP7B3thJgmCBhjSau2cmDSUGFLwZswoue2y7u
+Goh5sCOq8MAcFkm5CyXkAQbDIptGs7XGipJBbpZEXBo1fnVPQnz/Ien9Mv8ZxeAW
+busJD5aPMZZ9GwLuRfoGEa7PEO4409zHc07hA22kxv6yb1nNyuTNcXG2myIP5MdO
+rHLFuDcQ+2adBmpmJGYXmak73eamYzCZOMEOLYSLAwYNFpOIgQKCAQEAytAdhSFa
+goKLWCR5NcXvMSjAblWqMn5qAG0KroIISrOIgWamiDE6Xsqrg6H/aRETyelO5Xyi
+TxHnhYzge0VUAXJK3megyKbXCWwIJyym14gKXppvgNmvKs7hM6tp00+UYYUGWj1u
+2Mw3ae6oCyQIx2GYGUVTRyIbtz/u0Nfc0cJJ/OB91Q7Ab/GEVv70hvN3QBLab4OK
+37BtXE26dorHLAAC2SWwDbaD6A7NxHW5M9JpQHdtYvhNwS6lBVxSlFjmA7jBXrxH
+vT/8TJG4b5f9d85JGvURwX3DW1bUO/vVMEdp5RE1gHLo5q+IKQSH7OeVfJQeavyA
+OXC2+UIcsOdMPQKCAQEAxRm5xTchHfhTFusfggVjRwp0fKxCGw7LL4xLO6G3nqTX
+5WX2XWc/VB7uSJVq1b4dwiUJxVnmYWL/FcC3OeAQZh2BnkEJoPF4re7neN/8BOHB
+sHpn8+O8a5XF5XumvodSgwoBj0dPTdRRvK8OreyMjhoMwC5OrOWeYgfCkg4UUeax
+Mjta7j3B/wzu/SQcLOkVW9Y/B6FsC5ZIbNPhFJQ/h9q4aFw421AWnJ98FRSGDT22
+cynII9nA8OhNh8YXEJz4FRYs4GelbUNBe98BEh7cVOEuqK/7L7wXpmmC64yhP1ro
+37WJ9LDZbYqLriGsMZV23/knvPOk0Mqd8dTgderh3QKCAQB3zXHyp14ow+Z+HaWA
+DzkZB+KMCoxsIWKKd98ccHFndyAGmFV9E99QCVZBfps6PD09Q1U4mGPkY0YpDKu6
+BZz28cWqFPrULEHQLgGu6mBv5suBUKbXLT+dAPHkrLfpfBPBe2viOHHXHOMK71BS
+rGmHJW5MVzg3R72phNmUgj7NpYBBIXcTORCRz9AF97sIUJ87uSdRQhnxwu0G3l9s
+ENRQeH02Ol4B67OFi+Ee0Q+ivgMwcpuqH9UGbYBLZ1rciJruzd9kD8Is17Q4oseZ
+G+Y9NBzZELT5YEnbFbJu8Hbhev3hs0WwZ7COPFgpKqUEW1Rhb7l8J0WzKJLdMKF0
+Gl1dAoIBAD3mVGdRZv8oi7+4285TrtgSun6lAqXIwZsPLllt8mLKVlte6D5xPHxI
+soDtG/5AlMvyId1u3GFdW8sTGPf+HGhVf+2Zc1KuQz4st1lIzrchx1iLOLZpoTUQ
+dnQZn0Za7Vjl/ZNny8ofkgP13mBU19eQ6sw4PtEh09npofuInG0UTDYAWhBUKObW
+wv+RJaAdG24aHPVihrIk4l37NMbnwAQEdsGfpOOLhW5uz+M27NqftPr59jb8HhIK
+gr7PQVMgWPEWY8WeB2AHLTufz5BHTN8DUUn86qAVLEBBBrK/Gazx+gy30LmeCMrU
+JgXr4U45KHoyn35B7lL8LxpRxqSBvakCggEBAJBaYCI/2uWAF+sGQLt0rg25jnLo
+iuY45pshPCoxjONwYh0vnjsr00nyyN56ipPRITETMnQh/thGYJmj0O+5dO+0fkfB
+iHP9MxOxqVpMYff9Q4As+mtmC1/9UPSN8hRxyUuNwL0rNt/tq7u3muo5XT0rRWwV
+SjnMMjfK98i4b3xBpFPn8wrenhK3EVsx0hCyWg3NgmhTNh2OaK31FPiQAwOM7XXS
+55sQLO2XTPa663GNavzECmzZxYiRrk6TCEYp8jDofBw0aT+Mq8fp7kwgwX7l2lfK
+XQzGJ+CxJCdMyWhLlXGkIhG8G2W4/3tqyIp2+JlXk6/3CD6ovOqy0rhnpA8=
+-----END RSA PRIVATE KEY-----

ext/openssl/tests/sni_server_domain2_cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSDCCAzACAQIwDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAlNDMRUwEwYDVQQHDAxNeXJ0bGUgQmVhY2gxHjAcBgNVBAoMFXBocC50ZXN0
+cyBzdWJvcmRpbmF0ZTEeMBwGA1UEAwwVcGhwLnRlc3RzLnN1Ym9yZGluYXRlMB4X
+DTE0MDMwNTE0MzAzMVoXDTI0MDMwMjE0MzAzMVowYzELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAlNDMRUwEwYDVQQHDAxNeXJ0bGUgQmVhY2gxGjAYBgNVBAoMEWRvbWFp
+bjIgdGVzdCBjZXJ0MRQwEgYDVQQDDAtkb21haW4yLmNvbTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAOdrgSdbb+KLIdxlKnYgUtNRY5zp83ZDQf4wJPpt
+AR+g4iiU9I0er7Kc7rbjyJ9Ba1RO1dddqOFzoWIsYxnwJeqgP7Of5hNCYMNgYyJ4
+L3sxXqnbJdYNmdAeQpwimTMvw7gcrLNxF4wPbrjqxAWpwMBPi61BH5k0AbT2Z4Jf
+RZ9UwKpGAOFAa/3TrUjEpmpv3c+ppK5RFjVGasLhQoEEdhjK019Mw/W715Q+TL8o
+utQ1HOWEURmM4jCtCskg6MIGuYyKq1LebLy2hyHTlx3zCY43LQ/ptxTa34gublzf
+Vmw2fSyJygpmv52Y4UR5MFBEx5LC/C/4cwjWN5ZPWOKTCAoTeynTDGL2pwA21Tnk
+ae0RgPftFpyst7thAsoAgyfuMPiGWBnhqdN+RzeFpw+lm22gquxr3UPOBG51rrN0
+//UJQNbhqxG5sqxS7EDYolUFG4ViQwJ0Ney3GPa59E60Iw+IU14Lif6NVzYYlT3d
+czZpt/uR97cKeCZDHO28o0XCspdm8z4dT1WTWNVuCLArb7zm9+IOu47bUJa/y9N8
+ApqPjrwWPXWwdQq8ViUCSewTSQa9GeB2MnIVKQCjNuLmPCDDkmmJYcVpyiwljkwb
+29Itigeo7TMgVBeadN3biZGYSgIeYvf/MjOjxMKt4bCcoKNsieIsCNHj9+9lHbIr
+UrpDAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAAzy1BUPLBK3+230sILn9iJV+7DJ
+1pFOTBdChTn8UrCzP8NrhQ7TNyNuwETcjxOMZ0IYc9SBUZgQV2RZrGM4Ek2dV2so
+Z+HzQ9UsAl31t8bL1uSBH4lspAeSAIq8HyLK52JxZ4yBK8ID2e7oHzbqY58Xcfzn
+4WlA54XYNI1+gj6bBTP7lXLz40H9lcPTHDsed3usYYWtfH/ncIW0rw9/fK1P6aTO
+680lOaLFB26Z3ygGiJXbfmcnIjEmbpgWLfcPOoIBFrDmkiHqo31UT1WBxQ16c4yw
+DwO+DY5KK6adI1j5PWUmT/8vwlsO2CEtq4DOKfB51ggG9NyciCw+vJXP4Ec30IiX
+5TNWNwpg+ex44ICScSF6ew4hS2tO59VFBvDaa/2nFhEOG0iECN0537v10vOxgaVr
+kHlCgJtgCwUbKrfVTA2FogXRDIBJ1aOZiA7kIPPSqdTH49HwieH55Q5kfi7xak5y
+tSijrFw70vZOf3ORErmXEAZFqQgPuK4KlvTMom7z9QnNq4L579DeGUdBhLYGXJzP
+8WcMXRlQ7XUT6TQaSTDwDYlWcxcZ584seK4rVCLT2jyChEWSLR2K29hZ0eNVQt43
+3Xxz9hExGS/oELv53zPqp10w/0ZKlFQc5Wa4kEkjBz5R8VzzWuelxarqNAH6m9Du
+i3jyxtHS869PHMU3
+-----END CERTIFICATE-----

ext/openssl/tests/sni_server_domain2_key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEA52uBJ1tv4osh3GUqdiBS01FjnOnzdkNB/jAk+m0BH6DiKJT0
+jR6vspzutuPIn0FrVE7V112o4XOhYixjGfAl6qA/s5/mE0Jgw2BjIngvezFeqdsl
+1g2Z0B5CnCKZMy/DuByss3EXjA9uuOrEBanAwE+LrUEfmTQBtPZngl9Fn1TAqkYA
+4UBr/dOtSMSmam/dz6mkrlEWNUZqwuFCgQR2GMrTX0zD9bvXlD5Mvyi61DUc5YRR
+GYziMK0KySDowga5jIqrUt5svLaHIdOXHfMJjjctD+m3FNrfiC5uXN9WbDZ9LInK
+Cma/nZjhRHkwUETHksL8L/hzCNY3lk9Y4pMIChN7KdMMYvanADbVOeRp7RGA9+0W
+nKy3u2ECygCDJ+4w+IZYGeGp035HN4WnD6WbbaCq7GvdQ84EbnWus3T/9QlA1uGr
+EbmyrFLsQNiiVQUbhWJDAnQ17LcY9rn0TrQjD4hTXguJ/o1XNhiVPd1zNmm3+5H3
+twp4JkMc7byjRcKyl2bzPh1PVZNY1W4IsCtvvOb34g67jttQlr/L03wCmo+OvBY9
+dbB1CrxWJQJJ7BNJBr0Z4HYychUpAKM24uY8IMOSaYlhxWnKLCWOTBvb0i2KB6jt
+MyBUF5p03duJkZhKAh5i9/8yM6PEwq3hsJygo2yJ4iwI0eP372UdsitSukMCAwEA
+AQKCAgEA2IEiPrDz1u01y5y2AfexpVPSrt3NUUoRNn7SSZurXmzEyRS6SkB4PdFG
+H8KxUhUBFcn/k9JjCjGEvXUrbfvXbU9o6WLh/AiwwHivpnLscQO6PYzyM/VbfnKg
+/LP9wf6gy+G/zM00K2vQuZ2hsG6lDwYcdgWkS091fVi9dCIv36WJ7oM5lYMQxVLB
+HoAj9RYdXYensxHXhhYQEaxu7IdA+WbgI5uNBZwsTtuOL5UqXRgnpa6JtS6x+roZ
+ihuIxuVFuG+PYyMGdfMKL6JmEbXrrap/NREBoLg4Qo6135tuniTILN/oLpz8DbQW
+pFoA0kfWsr5K85IsBQtsy+oGDUtjS0pfhSPiB6ZxK3y4gZrtSnN+WvdBXU9A86HY
+f7kdJyKJh7KndJ6WE95EhJhJ8KJYHcSAXMxGctODTiZS55LSuwWed6zdw6bxn2+1
+KHPz/Bghd7JB2naVyLYC1eOtc2zhIdSlnnUOwrApKo5U96VryzfcySf1iul755k9
+chwTYPJc3JtuJXNLX+oEVUmZq+P57i1hf6xrGfMDdlRPkTS6ik4ybRw3ltVtNFGu
+XMrmASWE/tVdb4dsqSsklZXztF9CYeBwqzf2ChQIywwxNtKrr79o0vdaHnnRLT6a
+Nf904Wrig8jWSBFKN2UTJXLy129SBdnP5XXUrSePUin4d3QbNQECggEBAPoQj2sk
+1HIaXKyxUv10pJzz7/eYWMpondiKxsdg/yQsTkxGIj4A8mE5/zh3eERvC2d7U3bI
+p8eF0C1F4N25bkZRLNT680Gas8lRsrSiS9YXaIBB5Pw4OVmnlfGL9Vs2k/t8joU/
+9nQ9f9ZlLdtIcCUzrrp45RKv05rYfYX2tcpqVie9J0NK/Dj6iVbb+S9QgKuGK/Xi
+YcBJG+XX4YNmsgKxCU6UJkqO/YRfKlhfs/Armo8wPxx6CfP0gEvKJLDebXxb8SCW
+YQQo1ckNkocMOAJuTfAeFMcaGV3Rj+urxQZZGLxA3I0ynDa27SbE7IFQSORibL2X
+fWto8uGYA1FpGsMCggEBAOzpp8G9UCDl9yaAP/SNp52JU1/zC76b8gtFn2siFUiP
+c2q8n4T8K6MNUQhYdZ8BovNP0Sd4nJF9XOlpshiA/ELfpHUbK+XpQYueL+QkLVMV
+iGszy8kZbGLErglGC1n3GxSxa6C0k/MweQE+NFCyy24D2vyV9/RjhcMn8/eSHa9I
+Ot2oEBcJF1+R2j9FLQFZqNnsUZXh+vjpQOQOvGWLKC7RjRdMTiDxhbFwIbwts0O1
+/IjZdsaKUk936aLWeQLrzUMEvFJ1sr3xRegT53KJuQLLHZk0tEm0SHug84SkH0AT
+h8nY6zfeZSEPtfZOw3zydog2sXgakCwqUjTS1Rci6oECggEAZdjA0N6bOC3MePlv
+15LeSJ6BqdH+t9GMGFnNQ/8Za14wNZiK8b3o+fhpHlJqRVUEzAzKnaJz0yuI8id3
+wlZ3t2PwYn4i/SFJAEGqCy/euz+lbDdqT9+GXCGJTGu4boH4G4FLerHmaslxe5yR
+5LHIGx7Fl2UNx2KdSH/L//fParWMiXrctuefeoVv0lSdVMvw2+s1lFuzfGFKX35h
+ducosTfxlnN4dP1v+63WzU+NNdBMju0Th0GdNCLs7fFSqEavSOsZdjBJKyyGhfBl
+MWOknDjYvWdDByR2GGP1vgKjqEY5cNLqAQgP36j5RcUGnlRYm8wKhd1hU5HW+lKz
+Z0DriQKCAQEAiEMDp9z4/1MFSfGt1zy6UVOwzpj+Ak2zc2RCAt6Bm1BWs+d1YImh
+l5CLMN+gFypbzNH1nFw0wUF3dRDDzHAzp0r2ThyorP3yIxmCthdQsl7KLc6GwU2M
+F2rEJrVQxhfoTYiWPMJf7hnNHzfl4xxTAR3akDi5eqjbQJn0KkqyJCTJJsAJMRab
+iO5cttNUxVgKU/0mF6z4Kr4OAp2vIkBdhkAkhGfw7+W6XYn+/TrTxngfnZ5mQF9C
+ZE615GCzDUkOsCNDJbJocfMZoBgCoNAxxzeH+JxlrZaxsdmq9nlnN/WDvkazU1jo
+lZFxuQ8oRO832bSLcmbk0WIuEg/JXBtLAQKCAQEA5izB8Br8wNUNSp39OG/xDH3f
+s/u4WpEYaKTXGo9lAxFSxXUwN0vwW5h2LsInhyG9LC016BD/I4hsREYBfnSBZfHR
+QgnZZkvXiAL90fucoV2TakQqSK8TYDPrpXyq+AsZ8avA+H9XwWQTk7Bu/RjO7u1B
+MszCiYVi3zb9RSa3cCLKSlTAUQACGZGaqT2Y1hDbvWOtd7O9kCz8hURqPXianutm
+o7OqYpOh+4xvm1HsMm5cEH6u3pO43njcDGVd9Jq0cL5cKXkm4Q8Q6mEZd692PU89
+BMD3XwjysI/pYDf6+gAL75bSEQUyYDFk04gIkVr1fII+9DHEdTn+tvoTSsunLw==
+-----END RSA PRIVATE KEY-----

ext/openssl/tests/sni_server_domain3_cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFTzCCAzcCAQIwDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAlNDMRUwEwYDVQQHDAxNeXJ0bGUgQmVhY2gxHjAcBgNVBAoMFXBocC50ZXN0
+cyBzdWJvcmRpbmF0ZTEeMBwGA1UEAwwVcGhwLnRlc3RzLnN1Ym9yZGluYXRlMB4X
+DTE0MDMwNTE0MzA0M1oXDTI0MDMwMjE0MzA0M1owajELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAlNDMRUwEwYDVQQHDAxNeXJ0bGUgQmVhY2gxITAfBgNVBAoMGEludGVy
+bmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLZG9tYWluMy5jb20wggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCu5H20GpgEO8HUN8wSFwVJxFsoQtH4
+AsXhrQQb996s58XJzgeBZLulxO7Oq2moY0hnFCRH7JyiwI3dlpfaC65uENq0sIYQ
+iCeEV7LOO0sXA7JdkNvWyiTP4tt6p1t5xmX6b72PLIPff+OK35a1N3IVqbo2D3WP
+m4ALTMIHwryVrZO5nfeBW2IznVHSLMofYpKeg/pMgQ1QI20FbqnU/FN8KZvGZTn2
+wpKRfgz/tCOZbdW3NYD0S/f5zo4W92FrbgKEqYVuzqRm31O05uilWuIw57c6cp8Y
+4Dx14jJUugaBs50LJVtkhYiYCH51UQKfGnmcYwctFfNsbBxPLYLzLXfmph3l3lFB
+5zZXf68uTQhj6Nqvykuj08KyqDKPS95qMDkIvxw68vVZpFEtRUkLGSOci+f70Vtl
+5l8w7TJ+zPPtKPe5DuQSRbDwU8e9NdhqbbliYu6H1pNKG6tHdZF5QNrZCxom8jfn
+jTKtM369VhUEUiZ1Wf19DbY7K6LVpkzu8B0hsD8oDU2oEPsS5iLAHzv8kbbPkYWc
+GfKsn+VBWm7aX9zv/JT2FEAQOiVzSe6Bi8walXJ9qEI5p53Wvfny0bmgrhMDvbbN
+5QRyBfTWs2SjsEgdUJFi7QhbZn1JVAwScMnAX/Ne2uS0uMdcEqU59FYfhW8jHI1v
+EY5BD8etxaT34QIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQDUel0pS4vCng3sQ2ab
+U4bSTDiiyR09TUlX54eaHrQFnnJAXxnHdu9S2xlizaGgkUHqQ7P6HXiMn5rl2GTw
+7uLcV2CoapceuX3HK+Iiy5r4phXtylmkUT737jR32Rib/jH7swkdPLDcnbI2J2Cs
+I1LIlCiuaJagu0q2liRnJOkdZQd1Rz3w9I/WHECxS9SAnaQsF4LbXabXObVeRrtq
+qiNoDbC0Q9c4RquVtbdjm4vP6eCjnqck/0Tq8ceq7Hg5hu3Q0scg3mEK+7cyp19X
+Y+/nCg8SZe+7LxewJ7GgqRgnDiHgfO5Nu4jhuZh72LA1mtIS+dU/cDVf8kxLiusG
+UlJKDwJ14Jh7LAKdRorqGFqNi8R5zEaCIcuSWvUfNl9TzOXlRj6c4lP8eixWG4FD
+CiHkv7jXsz8AYZcKy7IqsXVdnem+8PoKmBzhtngNX86W9JgQ65vLwsT4kdWHMfU0
+zEZrHZ3+qcmL5GUXI7r3uQQmp0RcNQV57X6bLRG4PaCMxuTv6JJ3Bi+qqX4vVWPL
+K1Au3W5UiJ3XPVllxSynA6lcUvVw/PoNLaV21sskxwJDtLwbSAH3DS0JQQSZzesj
+hGayf3SOVU1n84lTuc84KEgM+zaxGzqfShUadlLMKBS+w+8j8N+qBjUi08UOUKa7
+OAES8tCv7DK0Mi21rLXMadYwlw==
+-----END CERTIFICATE-----

ext/openssl/tests/sni_server_domain3_key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAruR9tBqYBDvB1DfMEhcFScRbKELR+ALF4a0EG/ferOfFyc4H
+gWS7pcTuzqtpqGNIZxQkR+ycosCN3ZaX2guubhDatLCGEIgnhFeyzjtLFwOyXZDb
+1sokz+LbeqdbecZl+m+9jyyD33/jit+WtTdyFam6Ng91j5uAC0zCB8K8la2TuZ33
+gVtiM51R0izKH2KSnoP6TIENUCNtBW6p1PxTfCmbxmU59sKSkX4M/7QjmW3VtzWA
+9Ev3+c6OFvdha24ChKmFbs6kZt9TtObopVriMOe3OnKfGOA8deIyVLoGgbOdCyVb
+ZIWImAh+dVECnxp5nGMHLRXzbGwcTy2C8y135qYd5d5RQec2V3+vLk0IY+jar8pL
+o9PCsqgyj0veajA5CL8cOvL1WaRRLUVJCxkjnIvn+9FbZeZfMO0yfszz7Sj3uQ7k
+EkWw8FPHvTXYam25YmLuh9aTShurR3WReUDa2QsaJvI3540yrTN+vVYVBFImdVn9
+fQ22Oyui1aZM7vAdIbA/KA1NqBD7EuYiwB87/JG2z5GFnBnyrJ/lQVpu2l/c7/yU
+9hRAEDolc0nugYvMGpVyfahCOaed1r358tG5oK4TA722zeUEcgX01rNko7BIHVCR
+Yu0IW2Z9SVQMEnDJwF/zXtrktLjHXBKlOfRWH4VvIxyNbxGOQQ/HrcWk9+ECAwEA
+AQKCAgB6QGgKJGjM1MSpxpMUthjRNruNyh+hoLaYCOwNbNevv5fHeAhRD4wH1UAl
+ITcLKNNskmzGBgR70+OW2HSvS2kTsR5gHeCo37PX08G+XT4hCUl+FAtH+id/VZGc
+DC5qUh/ozoEP+sr3yRrScXaUl/xcXjc3INlJmCYKQA6FhD901U+k+WIQf0OG1tph
+80MaazoYKiMlpTQcJ5dGq9N1eSgWa7NjHFFHRz1TDGyjtVUJI/i3R2Qr4IqniRZT
+wXrMsKp790+5ZCMRcdy+YIaRR5VDIEY5SfQiXGSG9qW+CgcQVPBa4TMgciNIOu/C
+q+0MMGJ/yc0zW9u7l1q2khauS8M6RAWXW+wLGelbezvidsO6I5sTfINoPbrEbQo4
+OpsiM5B+bncvXMnt0fbTiDFnjH51WbIFUSRFKNaMoDbvDThmfi5SAfTXDtXZHYa/
+9WBGTEDNO555S2+YPxwKdV6kd3irBDHzsnMtwsPyFxAmm2tvolp7MC1XD6G8mMpy
+PjXcsIz63fadO6DLEtJKTBorjZSbE13Edy+cpw9/EPQ8pyc1Nc7Z1dQlF7CR54UE
+jvvIF2K/PsSH+1sCNgvcKliImg55VGL8VyiqSvaxKhll59y0jaM1YOKYIcnP1Wq3
+Lwsu3htYZD4zVIhwM3Zi+jdr2fzJm8V2ZL1fsUM8ILyFgD98zQKCAQEA3ncyGBpH
+eCJajPbLAbbEjfghlWHVNdTInKENkVoIwehEv6e9tMjNr1ete4UdelxBiAQ/1O02
+Seka0JH8oXnl2v9oKGQHGKUYp7FNiaJ4duYtSzOU6U8scU9UyGolWY6P4l3Ac1cn
+VIoPuFRYG4jYZqto03yqueKCSg6oIC6jtXgzPxQlH+0jU7/f8WnbT7E/q5lpqpqg
+vY0m5XuQmhm6Ca6Ka8+UA7SpZqx892GkYu7lDdCw6ecF78EiO8u9bm9jntBTpND0
++uPIXDtBG+2t8QzYQwziI5D8wNVSQrhLBtuRT51YLrlEJlo99WBvooIOZawxA0jD
+uP/88TtLL9YqNwKCAQEAyUF7QKkguW6K1CJV9+ct7g9CqZQKhulexDtQLd8whl5j
+veKwZa5ItZtNVRcTfeuSyMrjo4wTUVAmtzLMxWljd5YQSdBpqaV5EV/F0y5uTzC5
+C0JUH1vvOUlQVPoqPjXNQ7AZ9StOoXje3kr+PENLvAlQuEedNNYNGm1W/Xbmi2l7
+Z3bY9WyBvv69aXqgbIp4uSiov4EJWZcpVKrOWvPcr6Lt0ubRTFhzcCYPp1Z32cI+
+HEGmp7rS4WBVXPFMNlaY74SUYQv5Ei2asBYz6Kst3I9CjHyZ7n/cOpsdUfJnzGdx
+y2cOPYwjmGtIQcpyrY9yQp7C5lsMLJ8zoPecFr0CpwKCAQAW3mfu5Fyuc9GdJg2O
+WoxwD67cHVd+liYdO80aQQgfbtIKZaLxv6atPLUfunpiRrOR2OX67HulM2pHQIqY
+yuAfGBxL8qRsGySisG5JFMOPbXAAiAfpx/LInyAXDhpSz33pBjwvXyky3pJpH3qD
+MhkUzNAU1X7zZt5/4GvWCxVXJUkXVenPE2CLTnEl7vzVf2INMNMU75pQgf8ang4q
+WTSvpBqkpI0RqHO1k0uxXn84kFhJiEd3dAE/OTpcrUAG5zp1a/L9QWG9nMbO/GRg
+C5nS6sAcfGmOwGvLIuK26x0DUnTom0MiYncn/iTaYZR4PyhduUq8jLFaBi6pWbAL
+9dcXAoIBAGwmZid/O3iqcKxCr1QCxWnShY4/YdDSA/0LqrCb6aWrf4oBEa3ylFwT
+UuFQ/0aBm2WPsfinQ5JEsilsgSHs2mjfGW2xM7bYl1DA2Lv9jYW8txPX1wDrFIkC
+XsrrjFvV6bJgJfLcDOs02v816Z1UxJQNpXUB9vb3uB7ldwPKK2Xrj0cwVLK+VpLe
+rcbLAP6TAwDtWpFetDmSw8Ed8LprpcI0mfzl0L9oINC5g1v3WXyJp3rjxL0J5lz6
+uaSyfrQMoS7FXj8wge5E14WcyNRVeNW3npmEM+w4hY5w4LayvxjW1g3qGXr1ngNA
+U5oXQr0GAu7OBgpoDwjDnKj5psWJWK0CggEBAIlWMA1dX0sBQLD0ZOJ61jg+5POQ
+tK/f8WI2+Bnn5DIPg2c29lNqPRR+xHEukzUBx9a7GiHYzMsxlBHHenQUQ6pF5ZPc
+nL7FcYrZKWlz3uT3eavFd+PPrlWTIguTJUXfwNHeDPSMHGm/b8tExq8SnzOGa2k9
+Mpn6iTxZ8fWWkso9NLGC6SyWVRTGinvNA5uNDJ7xKgpeWqrD4byjd/0rvQNVioxD
+HkWzHq+tVCoharJdxrjKlb0udhwFsCdhE2QV0I33sMaKZZtueeUsc57db+X/tjip
+E67ORm17t003JNkcC3nmSsCPUqq9LzDQGrFzHFWi7l4JRigC86xsEnpsA+c=
+-----END RSA PRIVATE KEY-----

ext/openssl/tests/sni_server_key_cert.phpt

@@ -0,0 +1,70 @@
+--TEST--
+sni_server with separate pk and cert
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip openssl not loaded");
+if (OPENSSL_VERSION_NUMBER >= 0x10100000) die("skip OpenSSL < v1.1.0 required");
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+	$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+	$ctx = stream_context_create(['ssl' => [
+		'local_cert' => __DIR__ . '/domain1.pem',
+		'SNI_server_certs' => [
+			"domain1.com" => [
+				'local_cert' => __DIR__ . "/sni_server_domain1_cert.pem",
+				'local_pk' => __DIR__ . "/sni_server_domain1_key.pem"
+			],
+			"domain2.com" => [
+				'local_cert' => __DIR__ . "/sni_server_domain2_cert.pem",
+				'local_pk' => __DIR__ . "/sni_server_domain2_key.pem"
+			],
+			"domain3.com" => [
+				'local_cert' => __DIR__ . "/sni_server_domain3_cert.pem",
+				'local_pk' => __DIR__ . "/sni_server_domain3_key.pem"
+			],
+		]
+	]]);
+
+	$server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+	phpt_notify();
+
+	for ($i=0; $i < 3; $i++) {
+		@stream_socket_accept($server, 3);
+	}
+CODE;
+
+$clientCode = <<<'CODE'
+    $flags = STREAM_CLIENT_CONNECT;
+    $ctxArr = [
+        'cafile' => __DIR__ . '/sni_server_ca.pem',
+        'capture_peer_cert' => true
+    ];
+
+    phpt_wait();
+
+    $ctxArr['peer_name'] = 'domain1.com';
+    $ctx = stream_context_create(['ssl' => $ctxArr]);
+    $client = stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+    $cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
+    var_dump(openssl_x509_parse($cert)['subject']['CN']);
+
+    $ctxArr['peer_name'] = 'domain2.com';
+    $ctx = stream_context_create(['ssl' => $ctxArr]);
+    $client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+    $cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
+    var_dump(openssl_x509_parse($cert)['subject']['CN']);
+
+    $ctxArr['peer_name'] = 'domain3.com';
+    $ctx = stream_context_create(['ssl' => $ctxArr]);
+    $client = @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+    $cert = stream_context_get_options($ctx)['ssl']['peer_certificate'];
+    var_dump(openssl_x509_parse($cert)['subject']['CN']);
+CODE;
+
+include 'ServerClientTestCase.inc';
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+--EXPECTF--
+string(%d) "domain1.com"
+string(%d) "domain2.com"
+string(%d) "domain3.com"

ext/openssl/xp_ssl.c

@@ -1299,7 +1299,35 @@ static int server_sni_callback(SSL *ssl_handle, int *al, void *arg) /* {{{ */
 }
 /* }}} */
 
-static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock)
+static SSL_CTX *create_sni_server_ctx(char *cert_path, char *key_path)  /* {{{ */
+{
+	/* The hello method is not inherited by SSL structs when assigning a new context
+	 * inside the SNI callback, so the just use SSLv23 */
+	SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
+
+	if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) != 1) {
+		php_error_docref(NULL, E_WARNING,
+			"failed setting local cert chain file `%s'; " \
+			"check that your cafile/capath settings include " \
+			"details of your certificate and its issuer",
+			cert_path
+		);
+		SSL_CTX_free(ctx);
+		return NULL;
+	} else if (SSL_CTX_use_PrivateKey_file(ctx, key_path, SSL_FILETYPE_PEM) != 1) {
+		php_error_docref(NULL, E_WARNING,
+			"failed setting private key from file `%s'",
+			key_path
+		);
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
+
+	return ctx;
+}
+/* }}} */
+
+static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock)  /* {{{ */
 {
 	zval *val;
 	zval *current;
@@ -1349,32 +1377,45 @@ static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *s
 			return FAILURE;
 		}
 
-		if (VCWD_REALPATH(Z_STRVAL_P(current), resolved_path_buff)) {
-			/* The hello method is not inherited by SSL structs when assigning a new context
-			 * inside the SNI callback, so the just use SSLv23 */
-			ctx = SSL_CTX_new(SSLv23_server_method());
+		if (Z_TYPE_P(current) == IS_ARRAY) {
+			zval *local_pk, *local_cert;
+			char resolved_cert_path_buff[MAXPATHLEN], resolved_pk_path_buff[MAXPATHLEN];
 
-			if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
+			local_cert = zend_hash_str_find(Z_ARRVAL_P(current), "local_cert", sizeof("local_cert")-1);
+			if (local_cert == NULL) {
 				php_error_docref(NULL, E_WARNING,
-					"failed setting local cert chain file `%s'; " \
-					"check that your cafile/capath settings include " \
-					"details of your certificate and its issuer",
-					resolved_path_buff
+					"local_cert not present in the array",
+					Z_STRVAL_P(local_cert)
 				);
-				SSL_CTX_free(ctx);
 				return FAILURE;
-			} else if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
-				php_error_docref(NULL, E_WARNING,
-					"failed setting private key from file `%s'",
-					resolved_path_buff
-				);
-				SSL_CTX_free(ctx);
-				return FAILURE;
-			} else {
-				sslsock->sni_certs[i].name = pestrdup(ZSTR_VAL(key), php_stream_is_persistent(stream));
-				sslsock->sni_certs[i].ctx = ctx;
-				++i;
 			}
+			convert_to_string_ex(local_cert);
+			if (!VCWD_REALPATH(Z_STRVAL_P(local_cert), resolved_cert_path_buff)) {
+				php_error_docref(NULL, E_WARNING,
+					"failed setting local cert chain file `%s'; file not found"
+				);
+				return FAILURE;
+			}
+			local_pk = zend_hash_str_find(Z_ARRVAL_P(current), "local_pk", sizeof("local_pk")-1);
+			if (local_pk == NULL) {
+				php_error_docref(NULL, E_WARNING,
+					"local_pk not present in the array"
+				);
+				return FAILURE;
+			}
+			convert_to_string_ex(local_pk);
+			if (!VCWD_REALPATH(Z_STRVAL_P(local_pk), resolved_pk_path_buff)) {
+				php_error_docref(NULL, E_WARNING,
+					"failed setting local private key file `%s'; file not found",
+					Z_STRVAL_P(local_pk)
+				);
+				return FAILURE;
+			}
+
+			ctx = create_sni_server_ctx(resolved_cert_path_buff, resolved_pk_path_buff);
+
+		} else if (VCWD_REALPATH(Z_STRVAL_P(current), resolved_path_buff)) {
+			ctx = create_sni_server_ctx(resolved_path_buff, resolved_path_buff);
 		} else {
 			php_error_docref(NULL, E_WARNING,
 				"failed setting local cert chain file `%s'; file not found",
@@ -1382,12 +1423,22 @@ static int enable_server_sni(php_stream *stream, php_openssl_netstream_data_t *s
 			);
 			return FAILURE;
 		}
+
+		if (ctx == NULL) {
+			return FAILURE;
+		}
+
+		sslsock->sni_certs[i].name = pestrdup(ZSTR_VAL(key), php_stream_is_persistent(stream));
+		sslsock->sni_certs[i].ctx = ctx;
+		++i;
+
 	} ZEND_HASH_FOREACH_END();
 
 	SSL_CTX_set_tlsext_servername_callback(sslsock->ctx, server_sni_callback);
 
 	return SUCCESS;
 }
+/* }}} */
 
 static void enable_client_sni(php_stream *stream, php_openssl_netstream_data_t *sslsock) /* {{{ */
 {