php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68879 IP Address fields in subjectAltNames not used
Submitted: 2015-01-21 19:40 UTC Modified: 2015-03-05 05:49 UTC
From: fabian at ritter-vogt dot de Assigned: rdlowrey
Status: Closed Package: OpenSSL related
PHP Version: 5.6.4 OS: openSUSE 13.1
Private report: No CVE-ID:
 [2015-01-21 19:40 UTC] fabian at ritter-vogt dot de
Description:
------------
The server at 10.2.0.1 has a certificate with CN set to the hostname and subjectAltNames set to the hostname and also IP-Address:

X509v3 Subject Alternative Name: 
                DNS:hostname.fqdn, DNS:hostname, IP Address:10.2.0.1

The certificate is correct, the import into the local trusted CA store worked:

$ curl https://10.2.0.1/some/file.html
Hi!

The php script below, however, prints the following error message:

Peer certificate CN=`hostname' did not match expected CN=`10.2.0.1'

It works if I replace "10.2.0.1" by "hostname" or "hostname.fqdn".

Test script:
---------------
<?php
file_get_contents("https://10.2.0.1/some/file.html");
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-04 17:31 UTC] rdlowrey@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: rdlowrey
 [2015-03-04 17:31 UTC] rdlowrey@php.net
This is a known issue. Currently only DNS names from the subjectAltName field are checked. I'm putting this on my @TODO list. Feel free to hassle me on this bug report if this isn't addressed in the near future ;)
 [2015-03-05 05:44 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)
 [2015-03-05 05:44 UTC] rdlowrey@php.net
-Status: Verified +Status: Closed
 [2015-03-05 05:45 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)
 [2015-03-05 05:49 UTC] rdlowrey@php.net
This has been fixed upstream with the following commit:

http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c

Only IPv4 SAN matching has been implemented. I didn't bother with IPv6 matching specifically because IP SAN names have been deprecated and CAs are no longer allowed to issue them after 2015. Any certs relying on IP SAN names must migrate away from them sooner rather than later.

Thanks for the report :)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon May 01 00:01:34 2017 UTC