[php-maint] Bug#759501: Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates
Ondřej Surý
ondrej at sury.org
Thu Aug 28 12:50:18 UTC 2014
Control: tags -1 +moreinfo
Andre,
I am afraid you will need to provide a test case, since I am not able
to reproduce your problem with my SNI subAltName cert:
<?php
// should work...
$conn = fsockopen("tls://deb.sury.org:443");
// this should not work, but works...
$conn = fsockopen("tls://sury.org:443");
?>
works like expected.
And the used certificate matches your use case:
[...]
Subject: description=7hl6z4SJ5DXjO6a5, C=CZ,
CN=deb.sury.org/emailAddress=f45c5fa85f3aa1c242afbabf6f49ceb348318220 at whois.gkg.net
[...]
X509v3 Subject Alternative Name:
DNS:deb.sury.org, DNS:sury.org
[...]
Please provide a clear PHP test case that can reproduce your problem.
Cheers,
Ondrej
On Wed, Aug 27, 2014, at 21:16, Andre Klärner wrote:
> Package: php5-common
> Version: 5.6.0~rc4+dfsg-4
> Severity: normal
> Tags: upstream
>
> Dear Maintainer,
>
> as PHP5.6 enabled peer verification by default I noticed that the
> verification does not account the Subject Alternative Names within the
> certificate. Upstream knows already a bug to this:
> Bug #55236 Can't open a connection via TLS
>
> The problem get noticeable, when you try to connect to an SSL secured
> service via fsockopen() and the hostname used to connect is differing
> from the certificates Common Name. Take this example:
>
> kandre at mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect
> smtp.live.com:587 -CApath /etc/ssl/certs
> CONNECTED(00000003)
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
> CA
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
> Validation CA - G2
> verify return:1
> depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation,
> CN = *.hotmail.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=*.hotmail.com
> i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
> G2
> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
> G2
> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> ---
>
> Openssl is properly verifying the certificate and comes to the
> conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject
> Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com,
> DNS:hotmail.com is valid for smtp.live.com, but php fails to do so.
>
> This could break any application that connects to a SSL secured service
> where the connection hostname is not directly within the CommonName
> field. From my perspective there is no workaround available except
> changing the hostname to connect to into one that is mentioned in the
> common name, which fails for the mentioned example, as Microsoft is
> (seemingly) not offering any alternative hostname.
>
> Thanks and kind regards,
> Andre
>
>
> -- Package-specific info:
> ==== Additional PHP 5 information ====
>
> ++++ PHP 5 SAPI (php5query -S): ++++
> cli
> apache2
>
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> opcache (Enabled for cli by maintainer script)
> opcache (Enabled for apache2 by maintainer script)
> readline (Enabled for cli by maintainer script)
> readline (Enabled for apache2 by maintainer script)
> yaml (Enabled for cli by local administrator)
> yaml (Enabled for apache2 by local administrator)
> pdo (Enabled for cli by maintainer script)
> pdo (Enabled for apache2 by maintainer script)
> json (Enabled for cli by maintainer script)
> json (Enabled for apache2 by maintainer script)
>
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/pdo.ini ****
> extension=pdo.so
>
> **** /etc/php5/mods-available/opcache.ini ****
> zend_extension=opcache.so
>
>
> -- System Information:
> Debian Release: jessie/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
> 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages php5 depends on:
> ii libapache2-mod-php5 5.6.0~rc4+dfsg-4
> ii php5-common 5.6.0~rc4+dfsg-4
>
> php5 recommends no packages.
>
> php5 suggests no packages.
>
> Versions of packages php5-common depends on:
> ii libc6 2.19-9
> ii lsof 4.86+dfsg-1
> ii psmisc 22.21-2
> ii sed 4.2.2-4
> ii ucf 3.0030
>
> Versions of packages php5-common suggests:
> pn php5-user-cache <none>
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list