|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2014-07-22 11:42 UTC] thijs at debian dot org
Description: ------------ When fetching things from an https:// url with PHP (e.g. file_get_contents()), the hostname is matched against the names in the certificate's subject alternative names extension since PHP 5.6, good. However, it does not apply the wildcard matching that it does to common names to these names, therefore https requests to resources on a server that has a wildcard SAN fail. An example site that has such a certificate is https://raw.githubusercontent.com. The test script below reproduces the problem for me. Test script: --------------- <?php ini_set("display_errors", TRUE); $readme = file_get_contents('https://raw.githubusercontent.com/php/php-src/master/README.md'); echo $readme; Expected result: ---------------- Contents of README.md. Actual result: -------------- Warning: file_get_contents(): Peer certificate CN=`www.github.com' did not match expected CN=`raw.githubusercontent.com' in /srv/www/test.php on line 6 Warning: file_get_contents(): Failed to enable crypto in /srv/www/test.php on line 6 Warning: file_get_contents(https://raw.githubusercontent.com/php/php-src/master/README.md): failed to open stream: operation failed in /srv/www/test.php on line 6 PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 11:01:30 2024 UTC |
Thanks Tjerk, everything looks good. For posterity here's the relevant spec coverage for the topic of wildcard matching in SAN names from RFC 6125: A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.