php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65729 CN_match gives false positive
Submitted: 2013-09-21 08:27 UTC Modified: 2013-10-08 14:02 UTC
From: datibbaw@php.net Assigned: mike (profile)
Status: Closed Package: OpenSSL related
PHP Version: master-Git-2013-09-21 (Git) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: datibbaw@php.net
New email:
PHP Version: OS:

 

 [2013-09-21 08:27 UTC] datibbaw@php.net
Description:
------------
When the CN_match option is used to verify "foo.test.com.sg" and the server 
certificate CN is "*.test.com" it will succeed erroneously.


Test script:
---------------
$context = stream_context_create(['ssl' => [
        'verify_peer' => true,
        'allow_self_signed' => true,
        'CN_match' => 'foo.test.com.sg',
]]);

$s = file_get_contents($url, 'rt', $context);
var_dump($s);

Expected result:
----------------
Warning: file_get_contents(): Peer certificate CN=`*.test.com' did not match 
expected CN=`foo.test.com.sg' in /path/to/script.php on line 12

Warning: file_get_contents(): Failed to enable crypto in 
/Users/tjerk/work/ssl/ssl.php on line 11

Warning: file_get_contents(https://localhost:4433): failed to open stream: 
operation failed in /path/to/script.php on line 11
bool(false)

Actual result:
--------------
No errors.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-08 14:02 UTC] mike@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: mike
 [2013-10-08 14:02 UTC] mike@php.net
Merged.
 [2014-10-15 12:57 UTC] gm dot outside+php at gmail dot com
The self-signed certificate used for this test up to PHP 5.6.1 has expired on Sep 21, 2014.  Please see #68234 for details.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Jan 29 20:01:24 2020 UTC