SSL context options

SSL context options

SSL context option listing

Context options for and transports. ssl://``tls://

peer_name``stringPeer name to be used. If this value is not set, then the name is guessed based on the hostname used when opening the stream.

verify_peer``boolRequire verification of SSL certificate used.

Defaults to true.

verify_peer_name``boolRequire verification of peer name.

Defaults to true.

allow_self_signed``bool Allow self-signed certificates. Requires . verify_peer

Defaults to false

cafile``string Location of Certificate Authority file on local filesystem which should be used with the context option to authenticate the identity of the remote peer. verify_peer

capath``string If is not specified or if the certificate is not found there, the directory pointed to by is searched for a suitable certificate.
must be a correctly hashed certificate directory. cafile``capath``capath

local_cert``string Path to local certificate file on filesystem. It must be a encoded file which contains your certificate and private key. It can optionally contain the certificate chain of issuers. The private key also may be contained in a separate file specified by . local_pk

local_pk``string Path to local private key file on filesystem in case of separate files for certificate () and private key. local_cert

passphrase``string Passphrase with which your file was encoded. local_cert

verify_depth``intAbort if the certificate chain is too deep.

Defaults to no verification.

ciphers``string Sets the list of available ciphers. The format of the string is described in . ciphers(1)

   Defaults to .
  `DEFAULT`

capture_peer_cert``bool If set to true a context option will be created containing the peer certificate. peer_certificate

capture_peer_cert_chain``bool If set to true a context option will be created containing the certificate chain. peer_certificate_chain

SNI_enabled``boolIf set to true server name indication will be enabled. Enabling SNI allows multiple certificates on the same IP address.

disable_compression``boolIf set, disable TLS compression. This can help mitigate the CRIME attack vector.

peer_fingerprint``string``arrayAborts when the remote certificate digest doesn't match the specified hash.

   When a  is used, the length will determine which hashing algorithm
   is applied, either "md5" (32) or "sha1" (40).
  `string`


   When an  is used, the keys indicate the hashing algorithm name
   and each corresponding value is the expected digest.
  `array`

security_level``int Sets the security level. If not specified the library default security level is used. The security levels are described in . SSL_CTX_get_security_level(3)

Available as of PHP 7.2.0 and OpenSSL 1.1.0.

Opmerking: > Because is the underlying transport for the and wrappers, any context options which apply to also apply to and . ssl://https://ftps://ssl://``https://``ftps://

Opmerking: > For SNI (Server Name Indication) to be available, then PHP must be compiled with OpenSSL 0.9.8j or greater. Use the to determine whether SNI is supported. OPENSSL_TLSEXT_SERVER_NAME