php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67666 Subject alternative name verification does not match wildcards
Submitted: 2014-07-22 11:42 UTC Modified: -
From: thijs at debian dot org Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 5.6.0RC2 OS: Debian sid
Private report: No CVE-ID:
 [2014-07-22 11:42 UTC] thijs at debian dot org
Description:
------------
When fetching things from an https:// url with PHP (e.g. file_get_contents()), the hostname is matched against the names in the certificate's subject alternative names extension since PHP 5.6, good. However, it does not apply the wildcard matching that it does to common names to these names, therefore https requests to resources on a server that has a wildcard SAN fail.

An example site that has such a certificate is https://raw.githubusercontent.com.

The test script below reproduces the problem for me.

Test script:
---------------
<?php

ini_set("display_errors", TRUE);

$readme = file_get_contents('https://raw.githubusercontent.com/php/php-src/master/README.md');

echo $readme;


Expected result:
----------------
Contents of README.md.

Actual result:
--------------
Warning: file_get_contents(): Peer certificate CN=`www.github.com' did not match expected CN=`raw.githubusercontent.com' in /srv/www/test.php on line 6

Warning: file_get_contents(): Failed to enable crypto in /srv/www/test.php on line 6

Warning: file_get_contents(https://raw.githubusercontent.com/php/php-src/master/README.md): failed to open stream: operation failed in /srv/www/test.php on line 6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-24 06:41 UTC] datibbaw@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38e714ece52f38963c072434b12174bccedcd1c7
Log: Fixed #67666 - Subject altName doesn't match wildcards
 [2014-07-24 06:41 UTC] datibbaw@php.net
-Status: Open +Status: Closed
 [2014-07-24 06:56 UTC] thijs at debian dot org
Thanks for the fast response!
 [2014-07-24 13:13 UTC] rdlowrey@php.net
Thanks Tjerk, everything looks good. For posterity here's the relevant spec coverage for the topic of wildcard matching in SAN names from RFC 6125:

      A "*" wildcard character MAY be used as the left-most name
      component in the certificate.  For example, *.example.com would
      match a.example.com, foo.example.com, etc. but would not match
      example.com.
 [2014-07-30 09:52 UTC] tyrael@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38e714ece52f38963c072434b12174bccedcd1c7
Log: Fixed #67666 - Subject altName doesn't match wildcards
 [2014-08-04 08:26 UTC] ab@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38e714ece52f38963c072434b12174bccedcd1c7
Log: Fixed #67666 - Subject altName doesn't match wildcards
 [2014-08-04 08:43 UTC] ab@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38e714ece52f38963c072434b12174bccedcd1c7
Log: Fixed #67666 - Subject altName doesn't match wildcards
 [2014-08-04 09:59 UTC] dmitry@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38e714ece52f38963c072434b12174bccedcd1c7
Log: Fixed #67666 - Subject altName doesn't match wildcards
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 01:01:34 2017 UTC