[php-maint] Bug#759501: Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates

Ondřej Surý ondrej at sury.org
Thu Aug 28 12:50:18 UTC 2014


Control: tags -1 +moreinfo

Andre,

I am afraid you will need to provide a test case, since I am not able
to reproduce your problem with my SNI subAltName cert:

<?php

// should work...
$conn = fsockopen("tls://deb.sury.org:443");

// this should not work, but works...
$conn = fsockopen("tls://sury.org:443");

?>

works like expected.

And the used certificate matches your use case:

[...]
        Subject: description=7hl6z4SJ5DXjO6a5, C=CZ,
        CN=deb.sury.org/emailAddress=f45c5fa85f3aa1c242afbabf6f49ceb348318220 at whois.gkg.net
[...]
            X509v3 Subject Alternative Name: 
                DNS:deb.sury.org, DNS:sury.org
[...]

Please provide a clear PHP test case that can reproduce your problem.

Cheers,
Ondrej

On Wed, Aug 27, 2014, at 21:16, Andre Klärner wrote:
> Package: php5-common
> Version: 5.6.0~rc4+dfsg-4
> Severity: normal
> Tags: upstream
> 
> Dear Maintainer,
> 
> as PHP5.6 enabled peer verification by default I noticed that the
> verification does not account the Subject Alternative Names within the
> certificate. Upstream knows already a bug to this:
>   Bug #55236      Can't open a connection via TLS
> 
> The problem get noticeable, when you try to connect to an SSL secured
> service via fsockopen() and the hostname used to connect is differing
> from the certificates Common Name. Take this example:
> 
> kandre at mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect
> smtp.live.com:587 -CApath /etc/ssl/certs
> CONNECTED(00000003)
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
> CA
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
> Validation CA - G2
> verify return:1
> depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation,
> CN = *.hotmail.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
>  Corporation/CN=*.hotmail.com
>    i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>    G2
>  1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>  G2
>    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> ---
> 
> Openssl is properly verifying the certificate and comes to the
> conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject
> Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com,
> DNS:hotmail.com is valid for smtp.live.com, but php fails to do so.
> 
> This could break any application that connects to a SSL secured service
> where the connection hostname is not directly within the CommonName
> field. From my perspective there is no workaround available except
> changing the hostname to connect to into one that is mentioned in the
> common name, which fails for the mentioned example, as Microsoft is
> (seemingly) not offering any alternative hostname.
> 
> Thanks and kind regards,
> Andre
> 
> 
> -- Package-specific info:
> ==== Additional PHP 5 information ====
> 
> ++++ PHP 5 SAPI (php5query -S): ++++
> cli
> apache2
> 
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> opcache (Enabled for cli by maintainer script)
> opcache (Enabled for apache2 by maintainer script)
> readline (Enabled for cli by maintainer script)
> readline (Enabled for apache2 by maintainer script)
> yaml (Enabled for cli by local administrator)
> yaml (Enabled for apache2 by local administrator)
> pdo (Enabled for cli by maintainer script)
> pdo (Enabled for apache2 by maintainer script)
> json (Enabled for cli by maintainer script)
> json (Enabled for apache2 by maintainer script)
> 
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/pdo.ini ****
> extension=pdo.so
> 
> **** /etc/php5/mods-available/opcache.ini ****
> zend_extension=opcache.so
> 
> 
> -- System Information:
> Debian Release: jessie/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
>   'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages php5 depends on:
> ii  libapache2-mod-php5  5.6.0~rc4+dfsg-4
> ii  php5-common          5.6.0~rc4+dfsg-4
> 
> php5 recommends no packages.
> 
> php5 suggests no packages.
> 
> Versions of packages php5-common depends on:
> ii  libc6   2.19-9
> ii  lsof    4.86+dfsg-1
> ii  psmisc  22.21-2
> ii  sed     4.2.2-4
> ii  ucf     3.0030
> 
> Versions of packages php5-common suggests:
> pn  php5-user-cache  <none>
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



More information about the pkg-php-maint mailing list