https:// streams.
This code is essential for people writing secure applications in order to avoid
man-in-the-middle attacks, and is thus regarded as a bug fix.
It is, however, optional; you need to explicitly turn on the verification
functionality, as it depends on you to specify your trusted certificate chain.
This sample demonstrates a secured https:// request, making use of the CA
bundle provided by curl:
<?php
$ctx = stream_context_create();
// Turn on verification
stream_context_set_option($ctx, "ssl", "verify_peer", true);
// Set the CA bundle (trusted certificate chain)
stream_context_set_option($ctx, "ssl", "cafile",
"/usr/local/share/curl/curl-ca-bundle.crt");
$fp = fopen("https://www.zend.com", "rb", false, $ctx);
?>
This sample demonstrates how to roll your own https:// request, and specify a
certificate to use for authentication; the local_cert and passphrase options
will also work for fopen().
<?php
$ctx = stream_context_create();
stream_context_set_option($ctx, "ssl", "verify_peer", true);
stream_context_set_option($ctx, "ssl", "cafile",
"/usr/local/share/curl/curl-ca-bundle.crt");
// set local cert. it MUST be a PEM encoded file containing the certificate
// AND your private key. It can also contain the certificate chain of issuers.
stream_context_set_option($ctx, "ssl", "local_cert", "/path/to/my/cert.pem");
stream_context_set_option($ctx, "ssl", "passphrase", "secret!");
// Set the common name that we are expecting; PHP will perform limited wildcard
// matching. If the CN does not match this, the connection attempt will fail.
// The value to specify will always be the same as the Host: header you specify.
stream_context_set_option($ctx, "ssl", "CN_match", "secure.sample.domain");
$ssl = fsockopen("ssl://secure.sample.domain", 443, $errno, $errstr, 10, $ctx);
if ($ssl) {
fwrite($ssl, "GET / HTTP/1.0\r\nHost: secure.sample.domain\r\n\r\n");
fpassthru($ssl);
}
?>
Also, some problems with CGI initialization should be eliminated.
Renamed some pkey functions to be more consistent.
# Added aliases for older names; not sure if we should keep those.
Stefan Roehrich