PHP :: Bug #51100 :: Patch for CN_match to support wildcards

Bug #51100

Patch for CN_match to support wildcards

Submitted:

2010-02-20 19:27 UTC

Modified:

2013-10-10 12:02 UTC

Votes:	4
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

bostjan at a2o dot si

Assigned:

pajoye (profile)

Status:

Closed

Package:

Streams related

PHP Version:

5.2.12

OS:

Linux (Slackware

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2010-02-20 19:27 UTC] bostjan at a2o dot si

Description:
------------
Stream context option CN_match does not support wildcard CN matching on PHP side. It only supports matching if a client connecting to PHP presents itself with wildcard in CN or if PHP connects to server which presents itself with wildcard in CN.

See my comment from 20Feb2010 here:
http://www.php.net/manual/en/context.ssl.php

Here is a link to a patch which enables "limited wildcard matching" if asterisk is present in CN_match.
http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff

Reproduce code:
---------------
####### SERVER
// Create context and other stuff
...

// Set relevant option
stream_context_set_option($ctx, 'ssl', 'CN_match', '*.example.org');

// Create the server socket
$server = stream_socket_server('ssl://0.0.0.0:9001', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $ctx);


####### COMMAND LINE CLIENT
$ openssl s_client -host localhost -port 9001 -cert host.example.org.cert


Expected result:
----------------
Successfull connection

Actual result:
--------------
Connection is closed with following warning message:

Warning: stream_socket_accept(): Peer certificate CN=`host.example.org' did not match expected CN=`*.example.org' in...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-02-20 23:06 UTC] pajoye@php.net

This feature is already implemented as far as I can tell, if it does not work, then let fix it.

[2010-03-03 00:23 UTC] bostjan at a2o dot si

Current implementation supports wildcard CN in remote certificate only.

Attached patch enables you to specify: 

CN_match = *.mydomain.com

This in turn enables you to SSL connect to all hosts under given domain (host1.mydomain.com, host2.mydomain.com).


BTW it is more useful the other way around:
- if you create a server which authenticates clients against CA certificate
- then you can specify that you only allow certain 'type' of clients
---> i.e. CN_match=*.backbone.mydomain.com
- then all the backbone servers are able to connect.
- all the other CNs will fail (i.e. server1.db.mydomain.com)

[2013-10-10 12:02 UTC] mike@php.net

-Status: Assigned +Status: Closed

[2013-10-10 12:02 UTC] mike@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 03 22:01:33 2024 UTC