<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>SSL context option listing</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="context.ftp.html">FTP context options</a></div>
<div class="next" style="text-align: right; float: right;"><a href="context.curl.html">CURL context options</a></div>
<div class="up"><a href="context.html">Context options and parameters</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="context.ssl" class="refentry">
<div class="refnamediv">
<h1 class="refname">SSL context options</h1>
<p class="refpurpose"><span class="refname">SSL context options</span> — <span class="dc-title">SSL context option listing</span></p>
</div>
<div class="refsect1 description" id="refsect1-context.ssl-description">
<h3 class="title">Description</h3>
<p class="para">
Context options for <em>ssl://</em> and <em>tls://</em>
transports.
</p>
</div>
<div class="refsect1 options" id="refsect1-context.ssl-options">
<h3 class="title">Options</h3>
<p class="para">
<dl>
<dt id="context.ssl.verify-peer">
<span class="term">
<em><code class="parameter">verify_peer</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
Require verification of SSL certificate used.
</p>
<p class="para">
Defaults to <strong><code>FALSE</code></strong>.
</p>
</dd>
</dt>
<dt id="context.ssl.allow-self-signed">
<span class="term">
<em><code class="parameter">allow_self_signed</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
Allow self-signed certificates. Requires
<a href="context.ssl.html#context.ssl.verify-peer" class="link"><em><code class="parameter">verify_peer</code></em></a>.
</p>
<p class="para">
Defaults to <strong><code>FALSE</code></strong>
</p>
</dd>
</dt>
<dt id="context.ssl.cafile">
<span class="term">
<em><code class="parameter">cafile</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
Location of Certificate Authority file on local filesystem
which should be used with the <em>verify_peer</em>
context option to authenticate the identity of the remote peer.
</p>
</dd>
</dt>
<dt id="context.ssl.capath">
<span class="term">
<em><code class="parameter">capath</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
If <em>cafile</em> is not specified or if the certificate
is not found there, the directory pointed to by <em>capath</em>
is searched for a suitable certificate. <em>capath</em>
must be a correctly hashed certificate directory.
</p>
</dd>
</dt>
<dt id="context.ssl.local-cert">
<span class="term">
<em><code class="parameter">local_cert</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
Path to local certificate file on filesystem. It must be a PEM
encoded file which contains your certificate and private key.
It can optionally contain the certificate chain of issuers.
</p>
</dd>
</dt>
<dt id="context.ssl.passphrase">
<span class="term">
<em><code class="parameter">passphrase</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
Passphrase with which your <em>local_cert</em> file
was encoded.
</p>
</dd>
</dt>
<dt id="context.ssl.cn-match">
<span class="term">
<em><code class="parameter">CN_match</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
Common Name we are expecting. PHP will perform limited wildcard
matching. If the Common Name does not match this, the connection
attempt will fail.
</p>
</dd>
</dt>
<dt id="context.ssl.verify-depth">
<span class="term">
<em><code class="parameter">verify_depth</code></em>
<span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span>
</span>
<dd>
<p class="para">
Abort if the certificate chain is too deep.
</p>
<p class="para">
Defaults to no verification.
</p>
</dd>
</dt>
<dt id="context.ssl.ciphers">
<span class="term">
<em><code class="parameter">ciphers</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
Sets the list of available ciphers. The format of the string is described
in <a href="http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT" class="link external">» ciphers(1)</a>.
</p>
<p class="para">
Defaults to <em>DEFAULT</em>.
</p>
</dd>
</dt>
<dt id="context.ssl.capture-peer-cert">
<span class="term">
<em><code class="parameter">capture_peer_cert</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
If set to <strong><code>TRUE</code></strong> a <em>peer_certificate</em> context option
will be created containing the peer certificate.
</p>
</dd>
</dt>
<dt id="context.ssl.capture-peer-cert-chain">
<span class="term">
<em><code class="parameter">capture_peer_cert_chain</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
If set to <strong><code>TRUE</code></strong> a <em>peer_certificate_chain</em> context
option will be created containing the certificate chain.
</p>
</dd>
</dt>
<dt id="context.ssl.sni-enabled">
<span class="term">
<em><code class="parameter">SNI_enabled</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
If set to <strong><code>TRUE</code></strong> server name indication will be enabled. Enabling SNI
allows multiple certificates on the same IP address.
</p>
</dd>
</dt>
<dt id="context.ssl.sni-server-name">
<span class="term">
<em><code class="parameter">SNI_server_name</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
If set, then this value will be used as server name for server name
indication. If this value is not set, then the server name is guessed
based on the hostname used when opening the stream.
</p>
</dd>
</dt>
<dt id="context.ssl.disable-compression">
<span class="term">
<em><code class="parameter">disable_compression</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
If set, disable TLS compression. This can help mitigate the CRIME attack
vector.
</p>
</dd>
</dt>
</dl>
</p>
</div>
<div class="refsect1 changelog" id="refsect1-context.ssl-changelog">
<h3 class="title">Changelog</h3>
<p class="para">
<table class="doctable informaltable">
<thead>
<tr>
<th>Version</th>
<th>Description</th>
</tr>
</thead>
<tbody class="tbody">
<tr>
<td>5.4.13</td>
<td>
Added <em><code class="parameter">disable_compression</code></em>. Requires OpenSSL >= 1.0.0.
</td>
</tr>
<tr>
<td>5.3.2</td>
<td>
Added <em><code class="parameter">SNI_enabled</code></em> and
<em><code class="parameter">SNI_server_name</code></em>.
</td>
</tr>
<tr>
<td>5.0.0</td>
<td>
Added <em><code class="parameter">capture_peer_cert</code></em>,
<em><code class="parameter">capture_peer_chain</code></em> and
<em><code class="parameter">ciphers</code></em>.
</td>
</tr>
</tbody>
</table>
</p>
</div>
<div class="refsect1 notes" id="refsect1-context.ssl-notes">
<h3 class="title">Notes</h3>
<blockquote class="note"><p><strong class="note">Note</strong>:
<span class="simpara">
Because <em>ssl://</em> is the underlying transport for the
<a href="wrappers.http.html" class="link"><em>https://</em></a> and
<a href="wrappers.ftp.html" class="link"><em>ftps://</em></a> wrappers,
any context options which apply to <em>ssl://</em> also apply to
<em>https://</em> and <em>ftps://</em>.
</span>
</p></blockquote>
<blockquote class="note"><p><strong class="note">Note</strong>:
<span class="simpara">
For SNI (Server Name Indication) to be available, then PHP must be compiled
with OpenSSL 0.9.8j or greater. Use the
<strong><code>OPENSSL_TLSEXT_SERVER_NAME</code></strong> to determine whether SNI is
supported.
</span>
</p></blockquote>
</div>
<div class="refsect1 seealso" id="refsect1-context.ssl-seealso">
<h3 class="title">See Also</h3>
<p class="para">
<ul class="simplelist">
<li class="member"><a href="context.socket.html" class="xref">Socket context options</a></li>
</ul>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="context.ftp.html">FTP context options</a></div>
<div class="next" style="text-align: right; float: right;"><a href="context.curl.html">CURL context options</a></div>
<div class="up"><a href="context.html">Context options and parameters</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
