I learned that using ftps (´ftp_ssl_connect()´) under PHP for Windows is tough. You are asked to enter a long journey of building your own binaries to include O
Can I also use peer-validated stream contexts to open ftps streams?
Yes. The ftps stream wrapper utilizes the same SSL context options as the https wrapper and will be available as long as you have the openssl extension enabled in your PHP build. You can verify if the ftps wrapper is available by checking the output from stream_get_wrappers() like so:
If you have ext/openssl enabled in your php build you'll see ftps listed in the output alongside the other available stream wrappers.
So I am wildly guessing
You're really close! The only thing you need to change in your code is to replace "ftps"
with "ssl"
as shown here:
[
'verify_peer' => true,
'cafile' => 'd:/sandbox/mycerts.pem',
'CN_match' => 'ftp-12345678.mywebhoster.com'
]]);
Regardless of whether you're using https, ftps or any other stream wrapper the context options governing SSL/TLS encryption are always stored in the "ssl"
key.
Right? Wrong? User+Password as options now? And then what? User/Password now? Or later? I am clueless...
The ftp and ftps stream wrappers both expect the username and password in the URI as shown here:
Don't be thrown off by our specification of the user/pass in cleartext here. The stream wrapper will only send the username and password after an encrypted connection is established.
The opendir() family of functions supports the ftp wrapper (since PHP 5.0). You use these functions the same way you would with local filesystem paths:
[
'verify_peer' => true,
'cafile' => 'd:/sandbox/mycerts.pem',
'CN_match' => 'ftp-12345678.mywebhoster.com'
]]);
$dirHandle = opendir('ftps://username:password@example.com/', $ctx);
while (($file = readdir($dirHandle)) !== false) {
echo "filename: $file\n";
}
closedir($dirHandle);
If it doesn't work initially you should test without passing the additional context $ctx
containing the SSL options. The CN (common name) field of the server's certificate must match the "CN_match"
value you specify (with limited wildcard matching for subdomains). Also, prior to the forthcoming PHP-5.6 release there is no support for matching names against the Subject Alternative Name field in the remote party's certificate. Unless you're working with a development preview for 5.6 you won't have this capability (SAN matching) and the peer verification routine will fail if the server relies on SAN.