[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php < 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index a6624ff..0234908 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -956,7 +956,13 @@ } if ( $this->sslVerifyHost ) { - $options['ssl']['CN_match'] = $this->parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) { + $options['ssl']['peer_name'] = $this->parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this->parsedUrl['host']; + } } $options['ssl'] += $this->getCertOptions(); @@ -981,6 +987,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to "peer_name" option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) + && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234926 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_25 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php < 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 349ace3..bb415bc 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -928,7 +928,13 @@ } if ( $this->sslVerifyHost ) { - $options['ssl']['CN_match'] = $this->parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) { + $options['ssl']['peer_name'] = $this->parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this->parsedUrl['host']; + } } $options['ssl'] += $this->getCertOptions(); @@ -948,6 +954,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to "peer_name" option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) + && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234927 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_24 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php < 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index d0602d2..556871a 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -927,7 +927,13 @@ } if ( $this->sslVerifyHost ) { - $options['ssl']['CN_match'] = $this->parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) { + $options['ssl']['peer_name'] = $this->parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this->parsedUrl['host']; + } } $options['ssl'] += $this->getCertOptions(); @@ -947,6 +953,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to "peer_name" option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) + && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234928 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_23 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/234926 Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/26/234926/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 8e05f59..3b1c217 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -912,7 +912,13 @@ } if ( $this-sslVerifyHost ) { - $options['ssl']['CN_match'] = $this-parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) { + $options['ssl']['peer_name'] = $this-parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this-parsedUrl['host']; + } } if ( is_dir( $this-caInfo ) ) { @@ -943,6 +949,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to peer_name option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) +( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234926 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_25 Gerrit-Owner: Gergő Tisza gti...@wikimedia.org Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/234927 Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/27/234927/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 8302124..3ea7e68 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -884,7 +884,13 @@ } if ( $this-sslVerifyHost ) { - $options['ssl']['CN_match'] = $this-parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) { + $options['ssl']['peer_name'] = $this-parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this-parsedUrl['host']; + } } if ( is_dir( $this-caInfo ) ) { @@ -910,6 +916,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to peer_name option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) +( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234927 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_24 Gerrit-Owner: Gergő Tisza gti...@wikimedia.org Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) Approvals: Seb35: Looks good to me, but someone else must approve Gergő Tisza: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index fec8adc..1c79485 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -917,7 +917,13 @@ } if ( $this-sslVerifyHost ) { - $options['ssl']['CN_match'] = $this-parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) { + $options['ssl']['peer_name'] = $this-parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this-parsedUrl['host']; + } } if ( is_dir( $this-caInfo ) ) { @@ -948,6 +954,19 @@ MediaWiki\restoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to peer_name option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) +( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/222086 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 3 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Brian Wolff bawolff...@gmail.com Gerrit-Reviewer: Alex Monk kren...@gmail.com Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com Gerrit-Reviewer: CSteipp cste...@wikimedia.org Gerrit-Reviewer: Gergő Tisza gti...@wikimedia.org Gerrit-Reviewer: Legoktm legoktm.wikipe...@gmail.com Gerrit-Reviewer: Seb35 seb35wikipe...@gmail.com Gerrit-Reviewer: jenkins-bot ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/234928 Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/28/234928/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 1fd437e..fd3a72f 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -883,7 +883,13 @@ } if ( $this-sslVerifyHost ) { - $options['ssl']['CN_match'] = $this-parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) { + $options['ssl']['peer_name'] = $this-parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this-parsedUrl['host']; + } } if ( is_dir( $this-caInfo ) ) { @@ -909,6 +915,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to peer_name option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) +( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234928 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_23 Gerrit-Owner: Gergő Tisza gti...@wikimedia.org Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Brian Wolff has uploaded a new change for review. https://gerrit.wikimedia.org/r/222086 Change subject: Workaround fopen lack of SubjectAltName support for instantCommons .. Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/86/222086/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 825cd06..2029092 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -912,7 +912,13 @@ } if ( $this-sslVerifyHost ) { - $options['ssl']['CN_match'] = $this-parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) { + $options['ssl']['peer_name'] = $this-parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this-parsedUrl['host']; + } } if ( is_dir( $this-caInfo ) ) { @@ -943,6 +949,19 @@ MediaWiki\restoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to peer_name option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) +( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/222086 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Brian Wolff bawolff...@gmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits