php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65729 CN_match gives false positive
Submitted: 2013-09-21 08:27 UTC Modified: 2013-10-08 14:02 UTC
From: datibbaw@php.net Assigned: mike
Status: Closed Package: OpenSSL related
PHP Version: master-Git-2013-09-21 (Git) OS: Linux
Private report: No CVE-ID:
 [2013-09-21 08:27 UTC] datibbaw@php.net
Description:
------------
When the CN_match option is used to verify "foo.test.com.sg" and the server 
certificate CN is "*.test.com" it will succeed erroneously.


Test script:
---------------
$context = stream_context_create(['ssl' => [
        'verify_peer' => true,
        'allow_self_signed' => true,
        'CN_match' => 'foo.test.com.sg',
]]);

$s = file_get_contents($url, 'rt', $context);
var_dump($s);

Expected result:
----------------
Warning: file_get_contents(): Peer certificate CN=`*.test.com' did not match 
expected CN=`foo.test.com.sg' in /path/to/script.php on line 12

Warning: file_get_contents(): Failed to enable crypto in 
/Users/tjerk/work/ssl/ssl.php on line 11

Warning: file_get_contents(https://localhost:4433): failed to open stream: 
operation failed in /path/to/script.php on line 11
bool(false)

Actual result:
--------------
No errors.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-08 14:02 UTC] mike@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: mike
 [2013-10-08 14:02 UTC] mike@php.net
Merged.
 [2014-10-15 12:57 UTC] gm dot outside+php at gmail dot com
The self-signed certificate used for this test up to PHP 5.6.1 has expired on Sep 21, 2014.  Please see #68234 for details.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Jul 22 00:01:36 2017 UTC