use encoding settings honor default_charset.
(https://wiki.php.net/rfc/default_encoding)
-- The php://input stream is now re-usable and can be used concurrently with
+- The php://input stream is now re-usable and can be used concurrently with
enable_post_data_reading=0.
+- Added use function and use const.
+ (https://wiki.php.net/rfc/use_function)
+
- Added gost-crypto (CryptoPro S-box) hash algo.
-- Added openssl certificate fingerprint support (inclusive stream context
+- Added openssl certificate fingerprint support (inclusive stream context
option).
-- Added openssl crypto method stream context option.
-
-- Added support for SAN x509 extension matching in encrypted streams.
+- Added support for SAN x509 extension matching when verifing host names in
+ encrypted streams.
- Added a range of new SSL context options for improved encrypted stream
- security. (https://wiki.php.net/rfc/improved-tls-defaults)
+ server security (https://wiki.php.net/rfc/improved-tls-defaults):
+
+ + "honor_cipher_order" allows servers to prioritize cipher suites of their
+ choosing when negotiating SSL/TLS handshakes.
+ + "single_ecdh_use" and "single_dh_use" allow for improved forward
+ secrecy in encrypted stream servers.
+ + "dh_param" allows specification of pre-generated key generation
+ parameters when negotiating ephemeral DHE ciphers in stream servers.
+ + "ecdh_curve" allows stream servers to specify which curve to use when
+ negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
+ + "rsa_key_size" SSL context option gives stream servers control
+ over the key size (in bits) used when negotiating RSA ciphers.
+ + "capture_session_meta" if specified stores an array of data describing
+ the TLS session's protocol/cipher in the "session_meta" SSL context key.
-- Added stream wrapper support for cafile paths when verifying SSL/TLS peers.
+- Added automatic mitigation against client-initated TLS renegotiation DoS
+ attacks in encrypted server streams. Renegotiation limiting may be
+ customized via three new SSL context options:
-- Added support for independent peer cert and host name verification when
- validating encrypted TLS stream peers.
+ + "reneg_limit" (number of allowed renegotiations per time window)
+ + "reneg_window" (renegotiation time window in seconds)
+ + "reneg_limit_callback" (optional notification callback on limiting)
-- Added protection against client-initiated renegotiation DoS in encrypted
- stream servers.
+- Added "crypto_method" SSL context option for use in encrypted streams.
+
+- Added stream wrapper support when specifying "cafile" SSL context paths.
+
+- Independent peer cert and host names validation is now available via a new
+ "verify_host" SSL context option.
- Added protocol-specific tlsv1.0://, tlsv1.1:// and tlsv1.2:// encryption
stream wrappers. tls:// wrapper now supports TLSv1.1 and TLSv1.2 (previously
- only supported TLSv1 method).
+ only supported TLSv1).
-- Added use function and use const.
- (https://wiki.php.net/rfc/use_function)
+- Stream crypto method specification now accepts flags instead of values
+ allowing support for multiple discrete protocols in a given stream.
========================================
2. Changes in SAPI modules
projects / php / commitdiff