update : 2015.11.03
php.shukuma.com검색:
|
OpenSSL changes in PHP 5.6.xStream wrappers now verify peer certificates and host names by default when using SSL/TLSAll encrypted client streams now enable peer verification by default. By default, this will use OpenSSL's default CA bundle to verify the peer certificate. In most cases, no changes will need to be made to communicate with servers with valid SSL certificates, as distributors generally configure OpenSSL to use known good CA bundles.
The default CA bundle may be overridden on a global basis by setting
either the openssl.cafile or openssl.capath configuration setting, or on a
per request basis by using the
While not recommended in general, it is possible to disable peer
certificate verification for a request by setting the
Certificate fingerprintsSupport has been added for extracting and verifying certificate fingerprints. openssl_x509_fingerprint() has been added to extract a fingerprint from an X.509 certificate, and two SSL stream context options have been added: capture_peer_cert to capture the peer's X.509 certificate, and peer_fingerprint to assert that the peer's certificate should match the given fingerprint. Default ciphers updatedThe default ciphers used by PHP have been updated to a more secure list based on the » Mozilla cipher recommendations, with two additional exclusions: anonymous Diffie-Hellman ciphers, and RC4.
This list can be accessed via the new
Compression disabled by default
SSL/TLS compression has been disabled by default to mitigate the CRIME
attack. PHP 5.4.13 added a
Allow servers to prefer their cipher order
The Access the negotiated protocol and cipher
The protocol and cipher that were negotiated for an encrypted stream can
now be accessed via stream_get_meta_data() or
stream_context_get_options() when the
<?php 위 예제의 출력: array(4) { ["protocol"]=> string(5) "TLSv1" ["cipher_name"]=> string(20) "ECDHE-RSA-AES128-SHA" ["cipher_bits"]=> int(128) ["cipher_version"]=> string(11) "TLSv1/SSLv3" } New options for perfect forward secrecy in encrypted stream serversEncrypted client streams already support perfect forward secrecy, as it is generally controlled by the server. PHP encrypted server streams using certificates capable of perfect forward secrecy do not need to take any additional action to enable PFS; however a number of new SSL context options have been added to allow more control over PFS and deal with any compatibility issues that may arise.
SSL/TLS version selection
It is now possible to select specific versions of SSL and TLS via the
The
<?php openssl_get_cert_locations() addedThe openssl_get_cert_locations() function has been added: it returns the default locations PHP will search when looking for CA bundles.
<?php 위 예제의 출력: array(8) { ["default_cert_file"]=> string(21) "/etc/pki/tls/cert.pem" ["default_cert_file_env"]=> string(13) "SSL_CERT_FILE" ["default_cert_dir"]=> string(18) "/etc/pki/tls/certs" ["default_cert_dir_env"]=> string(12) "SSL_CERT_DIR" ["default_private_dir"]=> string(20) "/etc/pki/tls/private" ["default_default_cert_area"]=> string(12) "/etc/pki/tls" ["ini_cafile"]=> string(0) "" ["ini_capath"]=> string(0) "" } SPKI supportSupport has been added for generating, extracting and verifying signed public key and challenges (SPKAC). openssl_spki_new(), openssl_spki_verify(), openssl_spki_export_challenge(), and openssl_spki_export() have been added to create, verify export PEM public key and associated challenge from SPKAC's generated from a KeyGen HTML5 element.
|