|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51100 Patch for CN_match to support wildcards
Submitted: 2010-02-20 19:27 UTC Modified: 2013-10-10 12:02 UTC
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bostjan at a2o dot si Assigned: pajoye (profile)
Status: Closed Package: Streams related
PHP Version: 5.2.12 OS: Linux (Slackware
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: bostjan at a2o dot si
New email:
PHP Version: OS:


 [2010-02-20 19:27 UTC] bostjan at a2o dot si
Stream context option CN_match does not support wildcard CN matching on PHP side. It only supports matching if a client connecting to PHP presents itself with wildcard in CN or if PHP connects to server which presents itself with wildcard in CN.

See my comment from 20Feb2010 here:

Here is a link to a patch which enables "limited wildcard matching" if asterisk is present in CN_match.

Reproduce code:
####### SERVER
// Create context and other stuff

// Set relevant option
stream_context_set_option($ctx, 'ssl', 'CN_match', '*');

// Create the server socket
$server = stream_socket_server('ssl://', $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $ctx);

$ openssl s_client -host localhost -port 9001 -cert

Expected result:
Successfull connection

Actual result:
Connection is closed with following warning message:

Warning: stream_socket_accept(): Peer certificate CN=`' did not match expected CN=`*' in...


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-20 23:06 UTC]
This feature is already implemented as far as I can tell, if it does not work, then let fix it.
 [2010-03-03 00:23 UTC] bostjan at a2o dot si
Current implementation supports wildcard CN in remote certificate only.

Attached patch enables you to specify: 

CN_match = *

This in turn enables you to SSL connect to all hosts under given domain (,

BTW it is more useful the other way around:
- if you create a server which authenticates clients against CA certificate
- then you can specify that you only allow certain 'type' of clients
---> i.e. CN_match=*
- then all the backbone servers are able to connect.
- all the other CNs will fail (i.e.
 [2013-10-10 12:02 UTC]
-Status: Assigned +Status: Closed
 [2013-10-10 12:02 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 22:01:28 2024 UTC