php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55618 CN_match case insenstive compare
Submitted: 2011-09-06 09:05 UTC Modified: 2014-02-20 21:57 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: fkooman at tuxed dot net Assigned: rdlowrey
Status: Closed Package: OpenSSL related
PHP Version: trunk-SVN-2011-09-06 (SVN) OS:
Private report: No CVE-ID:
 [2011-09-06 09:05 UTC] fkooman at tuxed dot net
Description:
------------
CN_match does a case sensitive match to compare the name in the certificate with the name specified in the context. It should be a case insensitive match.


Test script:
---------------
<?php
$uri = 'https://ib-groep.nl/';
$hostname = 'ib-groep.nl';
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => TRUE,
        'allow_self_signed' => FALSE,
        'cafile' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
        'CN_match' => $hostname
    )
));
$web_content = file_get_contents($uri, FALSE, $context);
?>

Expected result:
----------------
The script should not throw any warning and fill $web_content with the data from the website.

Actual result:
--------------
PHP Warning:  file_get_contents(): Peer certificate CN=`IB-Groep.nl' did not match expected CN=`ib-groep.nl' in /home/fkooman/test.php on line 20

Patches

php-openssl-CN_match-case-insentive.txt (last revision 2011-09-06 09:06 UTC) by fkooman at tuxed dot net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-06 10:44 UTC] cataphract@php.net
I wouldn't be comfortable using a locale dependent function like strcasecmp() for something as matching names.
 [2011-09-06 11:06 UTC] fkooman at tuxed dot net
Does this locale dependency refer to strcasecmp() or strcasecmp_l()? It seems the former does nothing with the locale?

Another approach might be to use toupper() and tolower() on both the CN_match value and the CN from the certificate...
 [2014-02-20 21:56 UTC] rdlowrey@php.net
This behavior has been corrected as of PHP 5.6 for both common name (CN) matches and the newly supported subject alternative name (SAN) matching.
 [2014-02-20 21:57 UTC] rdlowrey@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: rdlowrey
 [2015-01-14 19:17 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-14 19:17 UTC] rdlowrey@php.net
-Status: Analyzed +Status: Closed
 [2015-01-14 19:18 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-14 19:19 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-14 19:34 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2fe8e164f14054170ba8ad1f2a66ef1ef5acdfa
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 [2015-01-21 10:24 UTC] jpauli@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eaf107c07824dc784aa4441b76e0b8a05031ce1c
Log: Fixed bug #55618 (use case-insensitive cert name matching)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Feb 27 04:01:38 2017 UTC