PHP :: Bug #68879 :: IP Address fields in subjectAltNames not used

Bug #68879	IP Address fields in subjectAltNames not used
Submitted:	2015-01-21 19:40 UTC	Modified:	2015-03-05 05:49 UTC
From:	fabian at ritter-vogt dot de	Assigned:	rdlowrey (profile)
Status:	Closed	Package:	OpenSSL related
PHP Version:	5.6.4	OS:	openSUSE 13.1
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 28 - 1 = ?
Subscribe to this entry?

[2015-01-21 19:40 UTC] fabian at ritter-vogt dot de

Description:
------------
The server at 10.2.0.1 has a certificate with CN set to the hostname and subjectAltNames set to the hostname and also IP-Address:

X509v3 Subject Alternative Name: 
                DNS:hostname.fqdn, DNS:hostname, IP Address:10.2.0.1

The certificate is correct, the import into the local trusted CA store worked:

$ curl https://10.2.0.1/some/file.html
Hi!

The php script below, however, prints the following error message:

Peer certificate CN=`hostname' did not match expected CN=`10.2.0.1'

It works if I replace "10.2.0.1" by "hostname" or "hostname.fqdn".

Test script:
---------------
<?php
file_get_contents("https://10.2.0.1/some/file.html");
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-03-04 17:31 UTC] rdlowrey@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: rdlowrey

[2015-03-04 17:31 UTC] rdlowrey@php.net

This is a known issue. Currently only DNS names from the subjectAltName field are checked. I'm putting this on my @TODO list. Feel free to hassle me on this bug report if this isn't addressed in the near future ;)

[2015-03-05 05:44 UTC] rdlowrey@php.net

Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)

[2015-03-05 05:44 UTC] rdlowrey@php.net

-Status: Verified +Status: Closed

[2015-03-05 05:45 UTC] rdlowrey@php.net

Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)

[2015-03-05 05:49 UTC] rdlowrey@php.net

This has been fixed upstream with the following commit:

http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c

Only IPv4 SAN matching has been implemented. I didn't bother with IPv6 matching specifically because IP SAN names have been deprecated and CAs are no longer allowed to issue them after 2015. Any certs relying on IP SAN names must migrate away from them sooner rather than later.

Thanks for the report :)

[2016-12-08 19:13 UTC] spam2 at rhsoft dot net

Related To: Bug #73609

[2017-02-01 13:17 UTC] spam2 at rhsoft dot net

Related To: Bug #73609

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 19:00:02 2025 UTC