In addition to the RFC for TLS peer verification here's a heads up for
those interested in some of the recent updates to ext/openssl ... we've had
some quality improvements in the area of TLS encryption and Michael (@m6w6)
has been really helpful getting these PRs merged. I'd have to check to see
what's in 5.5 and what is slated for 5.6 but ...
Peer cert fingerprint comparisons are really easy now (insert NSA joke
here):
https://github.com/php/php-src/commit/edd93f34520b550c4c42877fe9e03112cad005ba
Added support for building against OpenSSLv1.0.1 (required for TLS > v1.0):
https://github.com/php/php-src/commit/b026993a74f452c5f6a689124b4ad4d7b3ac2491
Added support for TLSv1.1 and TLSv1.2:
https://github.com/php/php-src/commit/2ddefbd2b3027882490eb997fc7bc13185a67207
Streams may now specify the crypto method (SSLv2, SSLv3, TLS1.0, etc) as a
context option:
https://github.com/php/php-src/commit/ce2789558a970057539094ca9019d98ff09e831e
Peer verification now utilizes the Subject Alternative Name (SAN) X.509
extension:
https://github.com/php/php-src/commit/1970b964430a357d9c9acf01268849d86a99f4ec