php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51100 Patch for CN_match to support wildcards
Submitted: 2010-02-20 19:27 UTC Modified: 2013-10-10 12:02 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bostjan at a2o dot si Assigned: pajoye (profile)
Status: Closed Package: Streams related
PHP Version: 5.2.12 OS: Linux (Slackware
Private report: No CVE-ID: None
 [2010-02-20 19:27 UTC] bostjan at a2o dot si
Description:
------------
Stream context option CN_match does not support wildcard CN matching on PHP side. It only supports matching if a client connecting to PHP presents itself with wildcard in CN or if PHP connects to server which presents itself with wildcard in CN.

See my comment from 20Feb2010 here:
http://www.php.net/manual/en/context.ssl.php

Here is a link to a patch which enables "limited wildcard matching" if asterisk is present in CN_match.
http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff

Reproduce code:
---------------
####### SERVER
// Create context and other stuff
...

// Set relevant option
stream_context_set_option($ctx, 'ssl', 'CN_match', '*.example.org');

// Create the server socket
$server = stream_socket_server('ssl://0.0.0.0:9001', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $ctx);


####### COMMAND LINE CLIENT
$ openssl s_client -host localhost -port 9001 -cert host.example.org.cert


Expected result:
----------------
Successfull connection

Actual result:
--------------
Connection is closed with following warning message:

Warning: stream_socket_accept(): Peer certificate CN=`host.example.org' did not match expected CN=`*.example.org' in...


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-20 23:06 UTC] pajoye@php.net
This feature is already implemented as far as I can tell, if it does not work, then let fix it.
 [2010-03-03 00:23 UTC] bostjan at a2o dot si
Current implementation supports wildcard CN in remote certificate only.

Attached patch enables you to specify: 

CN_match = *.mydomain.com

This in turn enables you to SSL connect to all hosts under given domain (host1.mydomain.com, host2.mydomain.com).


BTW it is more useful the other way around:
- if you create a server which authenticates clients against CA certificate
- then you can specify that you only allow certain 'type' of clients
---> i.e. CN_match=*.backbone.mydomain.com
- then all the backbone servers are able to connect.
- all the other CNs will fail (i.e. server1.db.mydomain.com)
 [2013-10-10 12:02 UTC] mike@php.net
-Status: Assigned +Status: Closed
 [2013-10-10 12:02 UTC] mike@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 22:01:28 2024 UTC