Your message dated Wed, 27 Jan 2016 11:58:48 +0100
with message-id
<1453892328.1265838.503893586.7f4fa...@webmail.messagingengine.com>
and subject line Re: [php-maint] Bug#759501: Bug#759501: php5: TLS/SSL
connections do not honour the SubjectAltName within certificates
has caused the Debian Bug report #759501,
regarding php5: TLS/SSL connections do not honour the SubjectAltName within
certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
759501: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759501
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php5-common
Version: 5.6.0~rc4+dfsg-4
Severity: normal
Tags: upstream
Dear Maintainer,
as PHP5.6 enabled peer verification by default I noticed that the
verification does not account the Subject Alternative Names within the
certificate. Upstream knows already a bug to this:
Bug #55236 Can't open a connection via TLS
The problem get noticeable, when you try to connect to an SSL secured
service via fsockopen() and the hostname used to connect is differing
from the certificates Common Name. Take this example:
kandre@mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect
smtp.live.com:587 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation
CA - G2
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN =
*.hotmail.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Openssl is properly verifying the certificate and comes to the
conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject
Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com,
DNS:hotmail.com is valid for smtp.live.com, but php fails to do so.
This could break any application that connects to a SSL secured service
where the connection hostname is not directly within the CommonName
field. From my perspective there is no workaround available except
changing the hostname to connect to into one that is mentioned in the
common name, which fails for the mentioned example, as Microsoft is
(seemingly) not offering any alternative hostname.
Thanks and kind regards,
Andre
-- Package-specific info:
==== Additional PHP 5 information ====
++++ PHP 5 SAPI (php5query -S): ++++
cli
apache2
++++ PHP 5 Extensions (php5query -M -v): ++++
opcache (Enabled for cli by maintainer script)
opcache (Enabled for apache2 by maintainer script)
readline (Enabled for cli by maintainer script)
readline (Enabled for apache2 by maintainer script)
yaml (Enabled for cli by local administrator)
yaml (Enabled for apache2 by local administrator)
pdo (Enabled for cli by maintainer script)
pdo (Enabled for apache2 by maintainer script)
json (Enabled for cli by maintainer script)
json (Enabled for apache2 by maintainer script)
++++ Configuration files: ++++
**** /etc/php5/mods-available/pdo.ini ****
extension=pdo.so
**** /etc/php5/mods-available/opcache.ini ****
zend_extension=opcache.so
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.6.0~rc4+dfsg-4
ii php5-common 5.6.0~rc4+dfsg-4
php5 recommends no packages.
php5 suggests no packages.
Versions of packages php5-common depends on:
ii libc6 2.19-9
ii lsof 4.86+dfsg-1
ii psmisc 22.21-2
ii sed 4.2.2-4
ii ucf 3.0030
Versions of packages php5-common suggests:
pn php5-user-cache <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: php5/5.6.7+dfsg-1
Fixed upstream quite a long time ago.
--
Ondřej Surý <[email protected]>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
On Sun, Oct 19, 2014, at 13:59, Ondřej Surý wrote:
> Control: forwarded -1 https://bugs.php.net/bug.php?id=68265
>
> Andre,
>
> thank you for the test case, I have successfully repeated your problem
> in PHP 5.6.2 and forwarded the issue to the upstream. Hopefully they
> will fix it before the final Debian release. Sorry it took so long, I
> just didn't have enough time.
>
> Cheers,
> Ondrej
>
> On Thu, Aug 28, 2014, at 19:25, Andre Klärner wrote:
> > Hi Ondřej,
> >
> > I attached an example script that demonstrates the issue. Feel free to
> > run
> > tests against my server. Please note that I use CAcert.org certificates,
> > so
> > make sure you provide the root certificates for CAcert.org to PHP
> > (example
> > included)
> >
> > The output on my machines is:
> > kandre@mainframe(pts/14) ~ % ./ssl-test-debs.php
> > trying to connect to ssl://debs.ak-online.be
> > PHP Warning: fsockopen(): Peer certificate CN=`debs.ak-online.net' did
> > not match expected CN=`debs.ak-online.be' in
> > /media/Jen/kandre/ssl-test-debs.php on line 8
> > PHP Warning: fsockopen(): Failed to enable crypto in
> > /media/Jen/kandre/ssl-test-debs.php on line 8
> > PHP Warning: fsockopen(): unable to connect to
> > ssl://debs.ak-online.be:993 (Unknown error) in
> > /media/Jen/kandre/ssl-test-debs.php on line 8 (0)
> > trying to connect to ssl://debs.ak-online.net
> > connection succeeded
> >
> > Kind regards,
> > Andre
> >
> > --
> > Andre Klärner
> > _______________________________________________
> > pkg-php-maint mailing list
> > [email protected]
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> > Email had 2 attachments:
> > + ssl-test-debs.php
> > 1k (text/plain)
> > + smime.p7s
> > 6k (application/x-pkcs7-signature)
>
>
> --
> Ondřej Surý <[email protected]>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
--- End Message ---
