php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68879 IP Address fields in subjectAltNames not used
Submitted: 2015-01-21 19:40 UTC Modified: 2015-03-05 05:49 UTC
From: fabian at ritter-vogt dot de Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.4 OS: openSUSE 13.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
26 - 2 = ?
Subscribe to this entry?

 
 [2015-01-21 19:40 UTC] fabian at ritter-vogt dot de 
Description:
------------
The server at 10.2.0.1 has a certificate with CN set to the hostname and subjectAltNames set to the hostname and also IP-Address:

X509v3 Subject Alternative Name: 
                DNS:hostname.fqdn, DNS:hostname, IP Address:10.2.0.1

The certificate is correct, the import into the local trusted CA store worked:

$ curl https://10.2.0.1/some/file.html
Hi!

The php script below, however, prints the following error message:

Peer certificate CN=`hostname' did not match expected CN=`10.2.0.1'

It works if I replace "10.2.0.1" by "hostname" or "hostname.fqdn".

Test script:
---------------
<?php
file_get_contents("https://10.2.0.1/some/file.html");
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-04 17:31 UTC] rdlowrey@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: rdlowrey
 [2015-03-04 17:31 UTC] rdlowrey@php.net 
This is a known issue. Currently only DNS names from the subjectAltName field are checked. I'm putting this on my @TODO list. Feel free to hassle me on this bug report if this isn't addressed in the near future ;)
 [2015-03-05 05:44 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)
 [2015-03-05 05:44 UTC] rdlowrey@php.net
-Status: Verified +Status: Closed
 [2015-03-05 05:45 UTC] rdlowrey@php.net 
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c
Log: Fixed bug #68879 (IP Address fields in subjectAltNames not used)
 [2015-03-05 05:49 UTC] rdlowrey@php.net 
This has been fixed upstream with the following commit:

http://git.php.net/?p=php-src.git;a=commit;h=5dcace058a1384c8475e144e11310e260235dc3c

Only IPv4 SAN matching has been implemented. I didn't bother with IPv6 matching specifically because IP SAN names have been deprecated and CAs are no longer allowed to issue them after 2015. Any certs relying on IP SAN names must migrate away from them sooner rather than later.

Thanks for the report :)
 [2016-12-08 19:13 UTC] spam2 at rhsoft dot net 
Related To: Bug #73609
 [2017-02-01 13:17 UTC] spam2 at rhsoft dot net 
Related To: Bug #73609
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 07:01:27 2024 UTC