(Daniel Lowrey)
. Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
(Mark Zedwood)
+ . Fixed Bug #47030 (add new boolean "verify_host" SSL context option
+ allowing clients to verify names separately from peer certs).
+ (Daniel Lowrey)
+ . Fixed Bug #65538 ("cafile" SSL context option now supports stream
+ wrappers). (Daniel Lowrey)
+ . New openssl_get_cert_locations() function to aid CA file and peer
+ verification debugging. (Daniel Lowrey)
+ . Encrypted stream wrappers now disable TLS compression by default.
+ (Daniel Lowrey)
+ . New "capture_session_meta" SSL context option allows encrypted client and
+ server streams access to negotiated protocol/cipher information.
+ (Daniel Lowrey)
+ . New "honor_cipher_order" SSL context option allows servers to prioritize
+ cipher suites of their choosing when negotiating SSL/TLS handshakes.
+ (Daniel Lowrey)
+ . New "single_ecdh_use" and "single_dh_use" SSL context options allow for
+ improved forward secrecy in encrypted stream servers. (Daniel Lowrey)
+ . New "dh_param" SSL context option allows stream servers control over
+ the parameters when negotiating DHE cipher suites. (Daniel Lowrey)
+ . New "ecdh_curve" SSL context option allowing stream servers to specify
+ the curve to use when negotiating ephemeral ECDHE ciphers (defaults to
+ NIST P-256). (Daniel Lowrey)
+ . New "rsa_key_size" SSL context option gives stream servers control
+ over the key size (in bits) used for RSA key agreements. (Daniel Lowrey)
+ . Crypto methods for encrypted client and server streams now use
+ bitwise flags for fine-grained protocol support. (Daniel Lowrey)
+ . Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method.
+ tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2. (Daniel Lowrey)
+ . Encrypted client streams now enable SNI by default. (Daniel Lowrey)
+ . Encrypted streams now prioritize ephemeral key agreement and high strength
+ ciphers by default. (Daniel Lowrey)
+ . New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher
+ list. (Daniel Lowrey)
+ . New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto
+ methods negotiated encrypted server/client sessions. (Daniel Lowrey)
+ . Encrypted stream servers now automatically mitigate potential DoS vector
+ arising from client-initiated TLS renegotiation. New "reneg_limit",
+ "reneg_window" and "reneg_limit_callback" SSL context options for custom
+ renegotiation limiting control. (Daniel Lowrey)
- Pgsql:
. pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
- Openssl
. Peer certificates now verified by default in client socket operations
(RFC: https://wiki.php.net/rfc/tls-peer-verification). (Daniel Lowrey)
+ . New openssl.cafile and openssl.capath ini directives. (Daniel Lowrey)
23 Jan 2014, PHP 5.6.0 Alpha 1
- CLI server:
stream context's "verify_peer" setting. Encrypted transfers delegate to
operating system certificate stores by default, so many/most users *should*
be unaffected by this transparent security enhancement.
+ (https://wiki.php.net/rfc/tls-peer-verification)
========================================
2. New Features
- Added openssl crypto method stream context option.
-- Added openssl peer verification support for SAN x509 extension
+- Added support for SAN x509 extension matching in encrypted streams.
+
+- Added a range of new SSL context options for improved encrypted stream
+ security. (https://wiki.php.net/rfc/improved-tls-defaults)
+
+- Added stream wrapper support for cafile paths when verifying SSL/TLS peers.
+
+- Added support for independent peer cert and host name verification when
+ validating encrypted TLS stream peers.
+
+- Added protection against client-initiated renegotiation DoS in encrypted
+ stream servers.
+
+- Added protocol-specific tlsv1.0://, tlsv1.1:// and tlsv1.2:// encryption
+ stream wrappers. tls:// wrapper now supports TLSv1.1 and TLSv1.2 (previously
+ only supported TLSv1 method).
- Added use function and use const.
(https://wiki.php.net/rfc/use_function)
Added bool openssl_spki_verify($spkac)
Added string openssl_spki_export($spkac)
Added string openssl_spki_export_challenge($spkac)
+ Added array openssl_get_cert_locations()
- LDAP:
Added ldap_escape($value, $ignore = "", $flags = 0).
- Pgsql:
PGSQL_DML_ESCAPE int(4096)
+- Openssl:
+ STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT int(9)
+ STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT int(17)
+ STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT int(33)
+ STREAM_CRYPTO_METHOD_ANY_CLIENT int(63)
+ STREAM_CRYPTO_METHOD_TLSv1_0_SERVER int(8)
+ STREAM_CRYPTO_METHOD_TLSv1_1_SERVER int(16)
+ STREAM_CRYPTO_METHOD_TLSv1_2_SERVER int(32)
+ STREAM_CRYPTO_METHOD_ANY_SERVER int(62)
+ OPENSSL_DEFAULT_STREAM_CIPHERS string
+
========================================
10. Changes to INI File Handling
========================================
enabled and to recognize ohe value -1 for never populating the global
$HTTP_RAW_POST_DATA variable, which will be default in future PHP versions.
+- Openssl:
+ openssl.cafile and openssl.capath ini directives have been added to allow
+ global CA default specification as necessary.
+
========================================
11. Other Changes
========================================