php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55618 CN_match case insenstive compare
Submitted: 2011-09-06 09:05 UTC Modified: 2014-02-20 21:57 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: fkooman at tuxed dot net Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: trunk-SVN-2011-09-06 (SVN) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fkooman at tuxed dot net
New email:
PHP Version: OS:

 

 [2011-09-06 09:05 UTC] fkooman at tuxed dot net 
Description:
------------
CN_match does a case sensitive match to compare the name in the certificate with the name specified in the context. It should be a case insensitive match.


Test script:
---------------
<?php
$uri = 'https://ib-groep.nl/';
$hostname = 'ib-groep.nl';
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => TRUE,
        'allow_self_signed' => FALSE,
        'cafile' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
        'CN_match' => $hostname
    )
));
$web_content = file_get_contents($uri, FALSE, $context);
?>

Expected result:
----------------
The script should not throw any warning and fill $web_content with the data from the website.

Actual result:
--------------
PHP Warning:  file_get_contents(): Peer certificate CN=`IB-Groep.nl' did not match expected CN=`ib-groep.nl' in /home/fkooman/test.php on line 20

Patches

php-openssl-CN_match-case-insentive.txt (last revision 2011-09-06 09:06 UTC by fkooman at tuxed dot net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-06 10:44 UTC] cataphract@php.net 
I wouldn't be comfortable using a locale dependent function like strcasecmp() for something as matching names.
 [2011-09-06 11:06 UTC] fkooman at tuxed dot net 
Does this locale dependency refer to strcasecmp() or strcasecmp_l()? It seems the former does nothing with the locale?

Another approach might be to use toupper() and tolower() on both the CN_match value and the CN from the certificate...
 [2014-02-20 21:56 UTC] rdlowrey@php.net 
This behavior has been corrected as of PHP 5.6 for both common name (CN) matches and the newly supported subject alternative name (SAN) matching.
 [2014-02-20 21:57 UTC] rdlowrey@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: rdlowrey
 [2015-01-14 19:17 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-14 19:17 UTC] rdlowrey@php.net
-Status: Analyzed +Status: Closed
 [2015-01-14 19:18 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-14 19:19 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-14 19:34 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-21 10:24 UTC] jpauli@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eaf107c07824dc784aa4441b76e0b8a05031ce1c
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC