Как включить ssl php
PKI Tutorials — Herong’s Tutorial Examples — v2.32, by Herong Yang
∟ Configuring PHP OpenSSL on Windows
This section provides a tutorial example on how to install and configure the PHP OpenSSL module on Windows systems. PHP OpenSSL is provided as a DLL file called php_openssl.dll.
If you want to write your own PHP program to communicate with an HTTPS Web server, you should install a PHP module to help you. Currently, the best PHP module for HTTPS communication is the OpenSSL module.
Here what I did to install and configure the OpenSSL module on my Windows system:
1. Make sure I have PHP installed properly:
herong> \local\php\php -version PHP 7.0.2 (cli) (built: Jan 6 2016 13:05:11) ( ZTS ) Copyright (c) 1997-2015 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2015 Zend Technologies
2. Make sure the OpenSSL module DLL file is included in the PHP installation:
herong> dir \local\php\ext\php_openssl.dll 01/06/2016 02:01 PM 91,136 php_openssl.dll
3. Create the PHP configuration file, \local\php\php.ini, if it does not exist:
herong> copy \local\php\php.ini-production \local\php\php.ini 1 file(s) copied.
4. Enable the OpenSSL module by editing the configuration file with a text editor. You need to remove the comment maker (;) on two configuration lines:
. ; Directory in which the loadable extensions (modules) reside. ; http://php.net/extension-dir ; extension_dir = "./" ; On windows: extension_dir = "ext" . extension=php_openssl.dll .
I think I am ready to test the PHP OpenSSL module. See the next tutorial.
SSL context options
Peer name to be used. If this value is not set, then the name is guessed based on the hostname used when opening the stream.
Require verification of SSL certificate used.
Defaults to true .
Require verification of peer name.
Defaults to true .
Allow self-signed certificates. Requires verify_peer .
Defaults to false
Location of Certificate Authority file on local filesystem which should be used with the verify_peer context option to authenticate the identity of the remote peer.
If cafile is not specified or if the certificate is not found there, the directory pointed to by capath is searched for a suitable certificate. capath must be a correctly hashed certificate directory.
Path to local certificate file on filesystem. It must be a PEM encoded file which contains your certificate and private key. It can optionally contain the certificate chain of issuers. The private key also may be contained in a separate file specified by local_pk .
Path to local private key file on filesystem in case of separate files for certificate ( local_cert ) and private key.
Passphrase with which your local_cert file was encoded.
Abort if the certificate chain is too deep.
Defaults to no verification.
Sets the list of available ciphers. The format of the string is described in » ciphers(1).
If set to true a peer_certificate context option will be created containing the peer certificate.
If set to true a peer_certificate_chain context option will be created containing the certificate chain.
If set to true server name indication will be enabled. Enabling SNI allows multiple certificates on the same IP address.
If set, disable TLS compression. This can help mitigate the CRIME attack vector.
peer_fingerprint string | array
Aborts when the remote certificate digest doesn’t match the specified hash.
When a string is used, the length will determine which hashing algorithm is applied, either «md5» (32) or «sha1» (40).
When an array is used, the keys indicate the hashing algorithm name and each corresponding value is the expected digest.
Sets the security level. If not specified the library default security level is used. The security levels are described in » SSL_CTX_get_security_level(3).
Available as of PHP 7.2.0 and OpenSSL 1.1.0.
Changelog
| Version | Description |
|---|---|
| 7.2.0 | Added security_level . Requires OpenSSL >= 1.1.0. |
Notes
Note: Because ssl:// is the underlying transport for the https:// and ftps:// wrappers, any context options which apply to ssl:// also apply to https:// and ftps:// .
Note: For SNI (Server Name Indication) to be available, then PHP must be compiled with OpenSSL 0.9.8j or greater. Use the OPENSSL_TLSEXT_SERVER_NAME to determine whether SNI is supported.
See Also
User Contributed Notes 9 notes
There is also a crypto_type context. In older versions this was crypto_method. This is referenced on http://php.net/manual/en/function.stream-socket-enable-crypto.php
Enable SNI (Server Name Indication):
PEM must be contains certificate and private key.
$context = stream_context_create ([
‘ssl’ => [
‘SNI_enabled’ => true ,
‘SNI_server_certs’ => [
‘host1.com’ => ‘/path/host1.com.pem’ ,
‘host2.com’ => ‘/path/host2.com.pem’ ,
],
]]);
?>
I am unable to load a PEM that was generated with the stunnel tools. However, I am able to use PHP calls to generate a working PEM that is recognized both by stunnel and php, as outlined here:
This code fragment is now working for me, and with stunnel verify=4, both sides confirm the fingerprint. Oddly, if «tls://» is set below, then TLSv1 is forced, but using «ssl://» allows TLSv1.2:
$stream_context = stream_context_create([ ‘ssl’ => [
‘local_cert’ => ‘/path/to/key.pem’,
‘peer_fingerprint’ => openssl_x509_fingerprint(file_get_contents(‘/path/to/key.crt’)),
‘verify_peer’ => false,
‘verify_peer_name’ => false,
‘allow_self_signed’ => true,
‘verify_depth’ => 0 ]]);
$fp = stream_socket_client(‘ssl://ssl.server.com:12345’,
$errno, $errstr, 30, STREAM_CLIENT_CONNECT, $stream_context);
fwrite($fp, «foo bar\n»);
while($line = fgets($fp, 8192)) echo $line;
CN_match works contrary to intuitive thinking. I came across this when I was developing SSL server implemented in PHP. I stated (in code):
— do not allow self signed certs (works)
— verify peer certs against CA cert (works)
— verify the client’s CN against CN_match (does not work), like this:
stream_context_set_option($context, ‘ssl’, ‘CN_match’, ‘*.example.org’);
I presumed this would match any client with CN below .example.org domain.
Unfortunately this is NOT the case. The option above does not do that.
What it really does is this:
— it takes client’s CN and compares it to CN_match
— IF CLIENT’s CN CONTAINS AN ASTERISK like *.example.org, then it is matched against CN_match in wildcard matching fashion
Examples to illustrate behaviour:
(CNM = server’s CN_match)
(CCN = client’s CN)
— CNM=host.example.org, CCN=host.example.org —> OK
— CNM=host.example.org, CCN=*.example.org —> OK
— CNM=.example.org, CCN=*.example.org —> OK
— CNM=example.org, CCN=*.example.org —> ERROR
— CNM=*.example.org, CCN=host.example.org —> ERROR
— CNM=*.example.org, CCN=*.example.org —> OK
According to PHP sources I believe that the same applies if you are trying to act as Client and the server contains a wildcard certificate. If you set CN_match to myserver.example.org and server presents itself with *.example.org, the connection is allowed.
Everything above applies to PHP version 5.2.12.
I will supply a patch to support CN_match starting with asterisk.
Enabling SSL (https protocol) with xampp in a local PHP project
Learn how to enable the https connection to your local php project in xampp.
There are many advantages (and disadvantages) about using https in our websites. Some Browser API’s only are accesible if the connection is secure (webkitSpeechRecognition, getUserMedia etc), you cannot load insecure resources (http) from secure websites (https) and a lot of others points.
You may probably tried to simply change the url in the browser with https instead of http at the beginning, however the only thing you’ll find if you try to access in the browser will be Object not found!.
The problem talks by itself and we need to solve it , our virtual host doesn’t provide SSL support for our project, therefore we are unable to use a secure connection.
Enable SSL for a localhost URL
By default, the localhost domain allow you to access any file inside the xampp/htdocs folder. For example, if you have an HTML file namely file.html located in C:/xampp/htdocs/file.html , then you can access it in the browser at http://localhost/file.html with the HTTP protocol easily. In the same way you can access the document with the HTTPS protocol at https://localhost/file.html .
If you access your files or projects using a virtual host, then you can follow the next step.
Enable SSL for a vhost on a single project
We suppose that you already mounted a normal virtual host in the *80 port and it may look similar to :
DocumentRoot "C:/xampp/htdocs/myproject/web" DirectoryIndex index.php Options All AllowOverride All Require all granted A normal vhost that points to the port 80 in a simple symfony 3 project, nothing special and it doesn’t support https by itself.
To enable the SSL connection, you need to add the following lines inside another VirtualHost tag , basically with the same structure as you main VirtualHost tag but with the following information :
Note
The port now needs to be 443 instead of the 80.
SSLEngine on SSLCertificateFile "conf/ssl.crt/server.crt" SSLCertificateKeyFile "conf/ssl.key/server.key"The previous lines will enable the SSL in your project. Note that the paths are relative, with a normal installed xampp distribution it should work, if it doesn’t work try changing it to the absolute path. They’re normally located inside the xampp/apache/conf/ssl.key/server.key and xampp/apache/conf/ssl.crt/server.crt .
DocumentRoot "C:/xampp/htdocs/myproject/web" ServerName myproject SSLEngine on SSLCertificateFile "conf/ssl.crt/server.crt" SSLCertificateKeyFile "conf/ssl.key/server.key" Options All AllowOverride All Require all granted Remember that the important point to enable the SSL are the properties SSLEngine , SSLCertificateFile and SSLCertificateKeyFile and the correct port (443).
Now add both VirtualHost in your httpd-vhosts.conf file :
# http DocumentRoot "C:/xampp/htdocs/myproject/web" DirectoryIndex index.php Options All AllowOverride All Require all granted # https DocumentRoot "C:/xampp/htdocs/myproject/web" ServerName myproject SSLEngine on SSLCertificateFile "conf/ssl.crt/server.crt" SSLCertificateKeyFile "conf/ssl.key/server.key" Options All AllowOverride All Require all granted Save the httpd-vhosts.conf file and restart the apache service and try to connect using the https protocol.
Note
In some browsers you’ll get a warning due to a not trusted certificate, you only need to skip this warning.