3

I read a lot of php manpages but only found information about SNI support in contexts - http://www.php.net/manual/en/context.ssl.php

Is it possible to obtain SNI send by browser when PHP is working as a server? Server is created using standard stream_socket_server() as described in eg. this post: http://www.php.net/manual/en/function.stream-socket-server.php#98616

kiler129
  • 1,063
  • 2
  • 11
  • 21
  • Wait, so you're saying that you have an HTTP server *written* in PHP, that's accepting SSL requests? Can you tell us why you'd do such a thing? – Charles Jan 01 '14 at 08:54
  • @Charles: transparent proxy server. I've a lot of servers written in pure PHP (but most of them are non-http). It's pretty good language if you know how to use it ;) – kiler129 Jan 01 '14 at 14:19
  • Good architects also know when to use a nail hammer, a sledgehammer, and a jackhammer for different jobs. :) PHP is the wrong tool for the job you're trying to make it do. Further, it looks like [support would have to be expressly present at the C level](http://stackoverflow.com/q/5113333/168868) to get OpenSSL to support SNI server-side, and it's not clear how to expose that functionality to PHP sockets... – Charles Jan 01 '14 at 18:09

1 Answers1

5

Yes, server-side SNI support is available in PHP >= 5.6

Example Usage:

$ctx = stream_context_create(["ssl" => [
    "local_cert" => "/path/to/cert.pem",
    "SNI_server_certs" => [
        "domain1.com" => "/path/to/domain1.pem",
        "*.domain2.com" => "/path/to/domain2.pem",
        "domain3.com" => "/path/to/domain3.pem"
    ]
]]);

Notes:

  • The "SNI_server_certs" SSL context option maps host names to appropriate certs should a client handshake advertise SNI capability.
  • Prefixing a *. will utilize the matching cert if a client requests the primary host name or any subdomain thereof. So in the above example our domain2.pem will be used both for requests to domain2.com and subdomain.domain2.com
  • The "SNI_server_certs" ctx option has no effect for client streams.
  • SNI support is enabled by default as of 5.6 for both servers and clients. Servers must specify the "SNI_server_certs" array to actually use the SNI extension, though.
  • If the "SNI_enabled" => false ctx option is also passed then the "SNI_server_certs" array has no effect.
  • While supporting SNI by itself is enough to successfully negotiate the TLS handshake with many clients, servers MUST still specify a "local_cert" ctx option or run the risk of connection failures from clients that do not support the SNI extension.

Prior to PHP 5.6 server-side SNI is not possible ...

This is because encrypted PHP servers currently only use a single OpenSSL SSL_CTX C struct internally. Deploying SNI in a server requires a separate SSL_CTX for each individual certificate you wish to present.

Other New 5.6 TLS Features

There are quite a few SSL/TLS improvements for encrypted servers in the forthcoming PHP 5.6 release beyond SNI support. You can read about some of them here: