[php-maint] Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates

Andre Klärner kandre at ak-online.be
Wed Aug 27 19:16:33 UTC 2014

Package: php5-common
Version: 5.6.0~rc4+dfsg-4
Severity: normal
Tags: upstream

Dear Maintainer,

as PHP5.6 enabled peer verification by default I noticed that the
verification does not account the Subject Alternative Names within the
certificate. Upstream knows already a bug to this:
  Bug #55236	Can't open a connection via TLS

The problem get noticeable, when you try to connect to an SSL secured
service via fsockopen() and the hostname used to connect is differing
from the certificates Common Name. Take this example:

kandre at mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect smtp.live.com:587 -CApath /etc/ssl/certs
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.hotmail.com
verify return:1
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Openssl is properly verifying the certificate and comes to the
conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject
Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com,
DNS:hotmail.com is valid for smtp.live.com, but php fails to do so.

This could break any application that connects to a SSL secured service
where the connection hostname is not directly within the CommonName
field. From my perspective there is no workaround available except
changing the hostname to connect to into one that is mentioned in the
common name, which fails for the mentioned example, as Microsoft is
(seemingly) not offering any alternative hostname.

Thanks and kind regards,

-- Package-specific info:
==== Additional PHP 5 information ====

++++ PHP 5 SAPI (php5query -S): ++++

++++ PHP 5 Extensions (php5query -M -v): ++++
opcache (Enabled for cli by maintainer script)
opcache (Enabled for apache2 by maintainer script)
readline (Enabled for cli by maintainer script)
readline (Enabled for apache2 by maintainer script)
yaml (Enabled for cli by local administrator)
yaml (Enabled for apache2 by local administrator)
pdo (Enabled for cli by maintainer script)
pdo (Enabled for apache2 by maintainer script)
json (Enabled for cli by maintainer script)
json (Enabled for apache2 by maintainer script)

++++ Configuration files: ++++
**** /etc/php5/mods-available/pdo.ini ****

**** /etc/php5/mods-available/opcache.ini ****

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
ii  libapache2-mod-php5  5.6.0~rc4+dfsg-4
ii  php5-common          5.6.0~rc4+dfsg-4

php5 recommends no packages.

php5 suggests no packages.

Versions of packages php5-common depends on:
ii  libc6   2.19-9
ii  lsof    4.86+dfsg-1
ii  psmisc  22.21-2
ii  sed     4.2.2-4
ii  ucf     3.0030

Versions of packages php5-common suggests:
pn  php5-user-cache  <none>

-- no debconf information

More information about the pkg-php-maint mailing list