php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80854 SAN Certificate Wildcard fails with verify_peer_name
Submitted: 2021-03-10 23:48 UTC Modified: 2021-05-07 16:08 UTC
From: ricardo dot branco at covermg dot com Assigned: cmb (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: 7.4.16 OS: Centos 7
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ricardo dot branco at covermg dot com
New email:
PHP Version: OS:

 

 [2021-03-10 23:48 UTC] ricardo dot branco at covermg dot com 
Description:
------------
Since verify_peer_name/verify_peer is now default on it can not validate certificates with multiple SAN entries.

```
PHP Warning:  stream_socket_enable_crypto(): Peer certificate CN=`*.smtp.sendgrid.net' did not match expected CN=`smtp.sendgrid.com' in /home/ips/library/Zend/Mail/Protocol/Smtp.php on line 206
```

Currently only way to correct this id by disabling verify.

This has been open for ages.
https://bugs.php.net/bug.php?id=67666

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-07 16:08 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Package: Sockets related +Package: OpenSSL related -Assigned To: +Assigned To: cmb
 [2021-05-07 16:08 UTC] cmb@php.net 
> This has been open for ages.
> https://bugs.php.net/bug.php?id=67666

No, it has not.  Actually, that bug had been fixed within less
than 48 hours.

> PHP Warning:  stream_socket_enable_crypto(): Peer certificate CN=`*.smtp.sendgrid.net' did not match expected CN=`smtp.sendgrid.com' in /home/ips/library/Zend/Mail/Protocol/Smtp.php on line 206

From RFC 6125[1]:

| A "*" wildcard character MAY be used as the left-most name
| component in the certificate.  For example, *.example.com would
| match a.example.com, foo.example.com, etc. but would not match
| example.com.

So this doesn't look like a bug in PHP.

[1] <https://tools.ietf.org/html/rfc6125
 [2021-05-07 16:15 UTC] sdsdsdsdsd at dfgfgfgfg dot net 
> Peer certificate CN=`*.smtp.sendgrid.net' did not 
> match expected CN=`smtp.sendgrid.com'

*.smtp.sendgrid.net != smtp.sendgrid.com

when you have a certificate with "*.example.com" without explicit "example.com" no client would accept it and that's intentional! you need to list all names and besides wildcards for subdomains the subdomain itself explicit
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 00:01:35 2025 UTC