[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
(cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6)
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index a6624ff..0234908 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -956,7 +956,13 @@
}
if ( $this->sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+ $options['ssl']['peer_name'] =
$this->parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this->parsedUrl['host'];
+ }
}
$options['ssl'] += $this->getCertOptions();
@@ -981,6 +987,19 @@
wfRestoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to "peer_name" option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+ && ( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/234926
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_25
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
(cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6)
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 349ace3..bb415bc 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -928,7 +928,13 @@
}
if ( $this->sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+ $options['ssl']['peer_name'] =
$this->parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this->parsedUrl['host'];
+ }
}
$options['ssl'] += $this->getCertOptions();
@@ -948,6 +954,19 @@
wfRestoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to "peer_name" option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+ && ( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/234927
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
(cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6)
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index d0602d2..556871a 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -927,7 +927,13 @@
}
if ( $this->sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+ $options['ssl']['peer_name'] =
$this->parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this->parsedUrl['host'];
+ }
}
$options['ssl'] += $this->getCertOptions();
@@ -947,6 +953,19 @@
wfRestoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to "peer_name" option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+ && ( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/234928
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/234926
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
(cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6)
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/26/234926/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 8e05f59..3b1c217 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -912,7 +912,13 @@
}
if ( $this-sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this-parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) {
+ $options['ssl']['peer_name'] =
$this-parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this-parsedUrl['host'];
+ }
}
if ( is_dir( $this-caInfo ) ) {
@@ -943,6 +949,19 @@
wfRestoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to peer_name option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/234926
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_25
Gerrit-Owner: Gergő Tisza gti...@wikimedia.org
Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/234927
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
(cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6)
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/27/234927/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 8302124..3ea7e68 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -884,7 +884,13 @@
}
if ( $this-sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this-parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) {
+ $options['ssl']['peer_name'] =
$this-parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this-parsedUrl['host'];
+ }
}
if ( is_dir( $this-caInfo ) ) {
@@ -910,6 +916,19 @@
wfRestoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to peer_name option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/234927
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: Gergő Tisza gti...@wikimedia.org
Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
Approvals:
Seb35: Looks good to me, but someone else must approve
Gergő Tisza: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index fec8adc..1c79485 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -917,7 +917,13 @@
}
if ( $this-sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this-parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) {
+ $options['ssl']['peer_name'] =
$this-parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this-parsedUrl['host'];
+ }
}
if ( is_dir( $this-caInfo ) ) {
@@ -948,6 +954,19 @@
MediaWiki\restoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to peer_name option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/222086
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff bawolff...@gmail.com
Gerrit-Reviewer: Alex Monk kren...@gmail.com
Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com
Gerrit-Reviewer: CSteipp cste...@wikimedia.org
Gerrit-Reviewer: Gergő Tisza gti...@wikimedia.org
Gerrit-Reviewer: Legoktm legoktm.wikipe...@gmail.com
Gerrit-Reviewer: Seb35 seb35wikipe...@gmail.com
Gerrit-Reviewer: jenkins-bot
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/234928
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
(cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6)
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/28/234928/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 1fd437e..fd3a72f 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -883,7 +883,13 @@
}
if ( $this-sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this-parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) {
+ $options['ssl']['peer_name'] =
$this-parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this-parsedUrl['host'];
+ }
}
if ( is_dir( $this-caInfo ) ) {
@@ -909,6 +915,19 @@
wfRestoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to peer_name option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/234928
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Gergő Tisza gti...@wikimedia.org
Gerrit-Reviewer: Brian Wolff bawolff...@gmail.com
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Workaround fopen lack of SubjectAltName support for instantC... - change (mediawiki/core)
Brian Wolff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/222086
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
..
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/86/222086/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 825cd06..2029092 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -912,7 +912,13 @@
}
if ( $this-sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this-parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '=' ) ) {
+ $options['ssl']['peer_name'] =
$this-parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this-parsedUrl['host'];
+ }
}
if ( is_dir( $this-caInfo ) ) {
@@ -943,6 +949,19 @@
MediaWiki\restoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to peer_name option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/222086
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff bawolff...@gmail.com
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
