php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68879 IP Address fields in subjectAltNames not used
Submitted: 2015-01-21 19:40 UTC Modified: 2015-03-05 05:49 UTC
From: fabian at ritter-vogt dot de Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.4 OS: openSUSE 13.1
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fabian at ritter-vogt dot de
New email:
PHP Version: OS:

 

 [2015-01-21 19:40 UTC] fabian at ritter-vogt dot de 
Description:
------------
The server at 10.2.0.1 has a certificate with CN set to the hostname and subjectAltNames set to the hostname and also IP-Address:

X509v3 Subject Alternative Name: 
                DNS:hostname.fqdn, DNS:hostname, IP Address:10.2.0.1

The certificate is correct, the import into the local trusted CA store worked:

$ curl https://10.2.0.1/some/file.html
Hi!

The php script below, however, prints the following error message:

Peer certificate CN=`hostname' did not match expected CN=`10.2.0.1'

It works if I replace "10.2.0.1" by "hostname" or "hostname.fqdn".

Test script:
---------------
<?php
file_get_contents("https://10.2.0.1/some/file.html");
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-04 17:31 UTC] rdlowrey@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: rdlowrey
 [2015-03-04 17:31 UTC] rdlowrey@php.net 
This is a known issue. Currently only DNS names from the subjectAltName field are checked. I'm putting this on my @TODO list. Feel free to hassle me on this bug report if this isn't addressed in the near future ;)
 [2015-03-05 05:44 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)
 [2015-03-05 05:44 UTC] rdlowrey@php.net
-Status: Verified +Status: Closed
 [2015-03-05 05:45 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)
 [2015-03-05 05:49 UTC] rdlowrey@php.net 
This has been fixed upstream with the following commit:

http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c

Only IPv4 SAN matching has been implemented. I didn't bother with IPv6 matching specifically because IP SAN names have been deprecated and CAs are no longer allowed to issue them after 2015. Any certs relying on IP SAN names must migrate away from them sooner rather than later.

Thanks for the report :)
 [2016-12-08 19:13 UTC] spam2 at rhsoft dot net 
Related To: Bug #73609
 [2017-02-01 13:17 UTC] spam2 at rhsoft dot net 
Related To: Bug #73609
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Nov 02 05:00:01 2025 UTC