cleanup

cleanup (use zend_string* instead of char*)

fix TS build

Bug #41631: Observe socket read timeouts in SSL streams

Make stream->context indirect trough zend_resource (stream->ctx->ptr).
Fixed ext/standard/tests/streams/bug61115.phpt

Moved streams related functions to xp_ssl.c

Wildcards should only be used in the first name component; fixed comment style

Fixed #67666 - Subject altName doesn't match wildcards

Add ifdef on ecdh for single_ecdh_use

Allows build with OpenSSL < 0.9.8

Added support for ext/openssl

Bug #66840: Fix broken build when extension built separately

fix ZTS

Add encrypted server SNI support

- New "SNI_server_certs" context option maps host names to
appropriate certs should client handshakes advertise the
SNI extension:

$

Add encrypted server SNI support

- New "SNI_server_certs" context option maps host names to
appropriate certs should client handshakes advertise the
SNI extension:

$ctx = stream_context_create(["ssl" => [
"local_cert" => "/path/to/cert.pem",
"SNI_server_certs" => [
"domain1.com" => "/path/to/domain1.pem",
"*.domain2.com" => "/path/to/domain2.pem",
"domain3.com" => "/path/to/domain3.pem"
]
]]);

- Prefixing a "*." will utilize the matching cert if a client
requests the primary host name or any subdomain thereof. So
in the above example our "domain2.pem" will be used for both
requests to "domain2.com" -and- "subdomain.domain2.com"
- The "SNI_server_certs" ctx option has no effect for client
streams.
- SNI support is enabled by default as of 5.6 for both servers
and clients. Servers must specify the "SNI_server_certs" array
to actually use the SNI extension, though.
- If the `"SNI_enabled" => false` ctx option is also passed then
"SNI_server_certs" has no effect.
- While supporting SNI by itself is enough to successfully
negotiate the TLS handshake with many clients, servers MUST
still specify a "local_cert" ctx option or run the risk of
connection failures from clients that do not support the SNI
extension.

show more ...

Raise timeout to 2s, reworded ssl timeout warning

Refactor + reorganize openssl files

- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_o

Refactor + reorganize openssl files

- All streams-related code now lives in xp_ssl.c. Previously
stream code was split across both openssl.c and xp_ssl.c
- Folded superfluous php_openssl_structs.h into xp_ssl.c
- Server-specific options now set on SSL_CTX instead of SSL
- Deprecate SNI_server_name ctx option
- Miscellaneous refactoring

show more ...

Capture peer cert even if verify fails

Previously the "capture_peer_cert" SSL context option only
captured the peer's certificate if the verification routine
succeeded.

By a

Capture peer cert even if verify fails

Previously the "capture_peer_cert" SSL context option only
captured the peer's certificate if the verification routine
succeeded.

By also capturing the on verify failure applications have the
ability to parse the cert and ask users whether they wish to
proceed given the information presented by the peer.

show more ...

Prevent implicit function declaration when TLSEXT unavailable

fix linkage

"extern inline" looks like tricky case for portability, but extern
is required with VS. So reduce the case to a starndard one to avoid
unporbatibily.

Fix build against older OpenSSL libs

Fix build against older OpenSSL libs

Mitigate client-initiated SSL renegotiation DoS

C89 compat

Improve OpenSSL compile flag compatibility, minor updates

Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests

Improve server forward secrecy, refactor client SNI