go to bug id or search bugs for
When fetching things from an https:// url with PHP (e.g. file_get_contents()), the hostname is matched against the names in the certificate's subject alternative names extension since PHP 5.6, good. However, it does not apply the wildcard matching that it does to common names to these names, therefore https requests to resources on a server that has a wildcard SAN fail.
An example site that has such a certificate is https://raw.githubusercontent.com.
The test script below reproduces the problem for me.
$readme = file_get_contents('https://raw.githubusercontent.com/php/php-src/master/README.md');
Contents of README.md.
Warning: file_get_contents(): Peer certificate CN=`www.github.com' did not match expected CN=`raw.githubusercontent.com' in /srv/www/test.php on line 6
Warning: file_get_contents(): Failed to enable crypto in /srv/www/test.php on line 6
Warning: file_get_contents(https://raw.githubusercontent.com/php/php-src/master/README.md): failed to open stream: operation failed in /srv/www/test.php on line 6
Add a Patch
Add a Pull Request
Automatic comment on behalf of datibbaw
Log: Fixed #67666 - Subject altName doesn't match wildcards
Thanks for the fast response!
Thanks Tjerk, everything looks good. For posterity here's the relevant spec coverage for the topic of wildcard matching in SAN names from RFC 6125:
A "*" wildcard character MAY be used as the left-most name
component in the certificate. For example, *.example.com would
match a.example.com, foo.example.com, etc. but would not match