php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51100 Patch for CN_match to support wildcards
Submitted: 2010-02-20 19:27 UTC Modified: 2013-10-10 12:02 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bostjan at a2o dot si Assigned: pajoye (profile)
Status: Closed Package: Streams related
PHP Version: 5.2.12 OS: Linux (Slackware
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bostjan at a2o dot si
New email:
PHP Version: OS:

 

 [2010-02-20 19:27 UTC] bostjan at a2o dot si 
Description:
------------
Stream context option CN_match does not support wildcard CN matching on PHP side. It only supports matching if a client connecting to PHP presents itself with wildcard in CN or if PHP connects to server which presents itself with wildcard in CN.

See my comment from 20Feb2010 here:
http://www.php.net/manual/en/context.ssl.php

Here is a link to a patch which enables "limited wildcard matching" if asterisk is present in CN_match.
http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff

Reproduce code:
---------------
####### SERVER
// Create context and other stuff
...

// Set relevant option
stream_context_set_option($ctx, 'ssl', 'CN_match', '*.example.org');

// Create the server socket
$server = stream_socket_server('ssl://0.0.0.0:9001', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $ctx);


####### COMMAND LINE CLIENT
$ openssl s_client -host localhost -port 9001 -cert host.example.org.cert


Expected result:
----------------
Successfull connection

Actual result:
--------------
Connection is closed with following warning message:

Warning: stream_socket_accept(): Peer certificate CN=`host.example.org' did not match expected CN=`*.example.org' in...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-20 23:06 UTC] pajoye@php.net 
This feature is already implemented as far as I can tell, if it does not work, then let fix it.
 [2010-03-03 00:23 UTC] bostjan at a2o dot si 
Current implementation supports wildcard CN in remote certificate only.

Attached patch enables you to specify: 

CN_match = *.mydomain.com

This in turn enables you to SSL connect to all hosts under given domain (host1.mydomain.com, host2.mydomain.com).


BTW it is more useful the other way around:
- if you create a server which authenticates clients against CA certificate
- then you can specify that you only allow certain 'type' of clients
---> i.e. CN_match=*.backbone.mydomain.com
- then all the backbone servers are able to connect.
- all the other CNs will fail (i.e. server1.db.mydomain.com)
 [2013-10-10 12:02 UTC] mike@php.net
-Status: Assigned +Status: Closed
 [2013-10-10 12:02 UTC] mike@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 02 21:01:29 2025 UTC