|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47030 SSL context option 'CN_match' useless without 'verify_peer'
Submitted: 2009-01-07 17:33 UTC Modified: 2014-02-16 17:18 UTC
Avg. Score:4.8 ± 0.4
Reproduced:6 of 6 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.2.8 OS: Windows Vista
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
11 + 50 = ?
Subscribe to this entry?

 [2009-01-07 17:33 UTC]
It is currently impossible to only perform a check that the host name matches Common Name in SSL certificate. If 'verify_peer' is off, then the check is not performed, while documentation does not mention that these context options are dependent.

Note that cURL extension behaves as expected, the script
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPGET, true);
curl_setopt($ch, CURLOPT_URL, '');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
if (!curl_exec($ch)) {
    echo "Error #" . curl_errno($ch) . ": " . curl_error($ch);
outputs the following:
Error #51: SSL: certificate subject name '' does not match target host name ''

Reproduce code:
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => false,
        'CN_match'    => ''
$stream = stream_socket_client('ssl://', $errno, $errstr, 10, STREAM_CLIENT_CONNECT, $context);
if ($stream) {
    echo "Stream connected OK\r\n";

Expected result:
Some error message that certificate name '' does not match expected ''

Actual result:
Stream connected OK


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-07 18:17 UTC]
I will take a look at that asap.
 [2009-09-20 09:14 UTC]
It may also be a good idea to use name explicitly given in CN_match for peer verification instead of host name stream_socket_client() was called upon. Consider a proxy scenario:
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => true,
        'CN_match'    => ''
// connecting to proxy
$stream = stream_socket_client(
    'tcp://', $errno, $errstr, 10,
// establishing the tunnel
fwrite($stream, 'CONNECT ...');

// ... read proxy response

// establish crypto

This script will fail now since obviously doesn't match the certificate for
 [2014-02-15 00:02 UTC]
-Status: Assigned +Status: Closed
 [2014-02-15 00:02 UTC]
This has been addressed in the 5.6 development branch and master via the linked pull request.

As of 5.6 all client streams verify peers and host names by default. Peer certificate verification (via CAs) and host name verification (via CN and SAN) are now independent of one another. As these changes rely heavily on other features introduced in 5.6 you probably shouldn't hold your breath waiting for them to be back-ported to older versions.

$uri = '';
$ctx = stream_context_create(['ssl' => [
    'verify_peer' => false, // defaults to true for clients (as of 5.6)
    'verify_host' => true, // defaults to true for clients (new in 5.6)
    'CN_match' => '' // <-- override the URI host name

$client = stream_socket_client($uri, $errno, $errstr, $timeout, $flags, $ctx);
 [2014-02-16 17:18 UTC]
-Assigned To: pajoye +Assigned To: rdlowrey
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 15 12:01:29 2024 UTC