|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47030 SSL context option 'CN_match' useless without 'verify_peer'
Submitted: 2009-01-07 17:33 UTC Modified: 2014-02-16 17:18 UTC
Avg. Score:4.8 ± 0.4
Reproduced:6 of 6 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.2.8 OS: Windows Vista
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2009-01-07 17:33 UTC]
It is currently impossible to only perform a check that the host name matches Common Name in SSL certificate. If 'verify_peer' is off, then the check is not performed, while documentation does not mention that these context options are dependent.

Note that cURL extension behaves as expected, the script
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPGET, true);
curl_setopt($ch, CURLOPT_URL, '');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
if (!curl_exec($ch)) {
    echo "Error #" . curl_errno($ch) . ": " . curl_error($ch);
outputs the following:
Error #51: SSL: certificate subject name '' does not match target host name ''

Reproduce code:
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => false,
        'CN_match'    => ''
$stream = stream_socket_client('ssl://', $errno, $errstr, 10, STREAM_CLIENT_CONNECT, $context);
if ($stream) {
    echo "Stream connected OK\r\n";

Expected result:
Some error message that certificate name '' does not match expected ''

Actual result:
Stream connected OK


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-07 18:17 UTC]
I will take a look at that asap.
 [2009-09-20 09:14 UTC]
It may also be a good idea to use name explicitly given in CN_match for peer verification instead of host name stream_socket_client() was called upon. Consider a proxy scenario:
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => true,
        'CN_match'    => ''
// connecting to proxy
$stream = stream_socket_client(
    'tcp://', $errno, $errstr, 10,
// establishing the tunnel
fwrite($stream, 'CONNECT ...');

// ... read proxy response

// establish crypto

This script will fail now since obviously doesn't match the certificate for
 [2014-02-15 00:02 UTC]
-Status: Assigned +Status: Closed
 [2014-02-15 00:02 UTC]
This has been addressed in the 5.6 development branch and master via the linked pull request.

As of 5.6 all client streams verify peers and host names by default. Peer certificate verification (via CAs) and host name verification (via CN and SAN) are now independent of one another. As these changes rely heavily on other features introduced in 5.6 you probably shouldn't hold your breath waiting for them to be back-ported to older versions.

$uri = '';
$ctx = stream_context_create(['ssl' => [
    'verify_peer' => false, // defaults to true for clients (as of 5.6)
    'verify_host' => true, // defaults to true for clients (new in 5.6)
    'CN_match' => '' // <-- override the URI host name

$client = stream_socket_client($uri, $errno, $errstr, $timeout, $flags, $ctx);
 [2014-02-16 17:18 UTC]
-Assigned To: pajoye +Assigned To: rdlowrey
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 11:01:27 2024 UTC