#47030 [Asn]: SSL context option 'CN_match' useless without 'verify_peer'

Sun, 20 Sep 2009 02:14:41 -0700 

 ID:               47030
 User updated by:  a...@php.net
 Reported By:      a...@php.net
 Status:           Assigned
 Bug Type:         OpenSSL related
 Operating System: Windows Vista
 PHP Version:      5.2.8
 Assigned To:      pajoye
 New Comment:

It may also be a good idea to use name explicitly given in CN_match for
peer verification instead of host name stream_socket_client() was called
upon. Consider a proxy scenario:
<php
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => true,
        'CN_match'    => 'sourceforge.net'
    )
));
// connecting to proxy
$stream = stream_socket_client(
    'tcp://proxy.example.com:3128', $errno, $errstr, 10,
    STREAM_CLIENT_CONNECT, $context
);
// establishing the tunnel
fwrite($stream, 'CONNECT sourceforge.net ...');

// ... read proxy response

// establish crypto
stream_socket_enable_crypto(
    $stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT
);
?>

This script will fail now since proxy.example.com obviously doesn't
match the certificate for sourceforge.net


Previous Comments:
------------------------------------------------------------------------

[2009-01-07 18:17:54] paj...@php.net

I will take a look at that asap.

------------------------------------------------------------------------

[2009-01-07 17:33:15] a...@php.net

Description:
------------
It is currently impossible to only perform a check that the host name
matches Common Name in SSL certificate. If 'verify_peer' is off, then
the check is not performed, while documentation does not mention that
these context options are dependent.

Note that cURL extension behaves as expected, the script
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPGET, true);
curl_setopt($ch, CURLOPT_URL, 'https://sf.net/');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
if (!curl_exec($ch)) {
    echo "Error #" . curl_errno($ch) . ": " . curl_error($ch);
}
?>
outputs the following:
Error #51: SSL: certificate subject name 'sourceforge.net' does not
match target host name 'sf.net'

Reproduce code:
---------------
$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => false,
        'CN_match'    => 'sf.net'
    )
));
$stream = stream_socket_client('ssl://sf.net:443', $errno, $errstr, 10,
STREAM_CLIENT_CONNECT, $context);
if ($stream) {
    echo "Stream connected OK\r\n";
}


Expected result:
----------------
Some error message that certificate name 'sourceforge.net' does not
match expected 'sf.net'

Actual result:
--------------
Stream connected OK


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=47030&edit=1

Reply via email to