Fix #66942: openssl_seal() memory leak

Fix #66952: memory leak in openssl_open()

Fixed Bug #66833 Default digest algo is still MD5

Switch to SHA1, which match internal openssl hardcoded algo.

In most case, won't even be noticed
- priority on user input (defa

Fixed Bug #66833 Default digest algo is still MD5

Switch to SHA1, which match internal openssl hardcoded algo.

In most case, won't even be noticed
- priority on user input (default_md)
- fallback on system config
- fallback on this default value

Recent system reject MD5 digest, noticed in bug36732.phpt failure.

While SHA1 is better than MD5, SHA256 is recommenced,
and defined as default algo in provided configuration on
recent system (Fedora 21, RHEL-7, ...). But the idea is to
keep in sync with openssl internal value for PHP internal value.

show more ...

Typo fix: sicret -> secret

Refactor + reorganize openssl files

- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_o

Refactor + reorganize openssl files

- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_openssl_structs.h into xp_ssl.c
- Server-specific options now set on SSL_CTX instead of SSL
- Deprecate SNI_server_name ctx option
- Miscellaneous refactoring

show more ...

Windows cert verify improvements + leak fixes

- Clean up properly at all fail points in native Windows peer
verification routine
- Bring certificate usages and chain flags into lin

Windows cert verify improvements + leak fixes

- Clean up properly at all fail points in native Windows peer
verification routine
- Bring certificate usages and chain flags into line with chromium
implementation in windows environments

show more ...

Deprecate CN_match in favor of peer_name in SSL contexts

kick redundant include

this is already present from php.h

Tolerate non-standard newlines when parsing stream CA files

Change openssl directives to PHP_INI_PERDIR

Because openssl.cafile and openssl.capath have implications for
security these directives have been changed to PHP_INI_PERDIR
(previously

Change openssl directives to PHP_INI_PERDIR

Because openssl.cafile and openssl.capath have implications for
security these directives have been changed to PHP_INI_PERDIR
(previously PHP_INI_ALL)

show more ...

Add peer certificate verification on windows

Peer certificate verification on Windows using the native certificate store and the Windows API

fix linkage

"extern inline" looks like tricky case for portability, but extern
is required with VS. So reduce the case to a starndard one to avoid
unporbatibily.

Mitigate client-initiated SSL renegotiation DoS

Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests

Add openssl_get_cert_locations() function

Explicitly set cert verify depth if not specified

Strengthen default cipher list

Skip failing tests when EC unavailable (RHEL)

Fixed broken build when EC unavailable

Fix Bug #65538 (cafile now supports stream wrappers)

Fix for bug66501 - "key type not supported in this PHP build"

Add missing TSRMLS_CC

Bug #47030 (separate host and peer verification)

Verify peers by default in client socket operations

Prevent invalid SAN peer verification on null byte prefix attack

Bump year