The patch includes code which is very similar but it's functionality goes just the other way around.
The original code takes remote CN and if that contains asterisk, it tries to 'limited-wildcard-match' of CN_match against remote CN (remote CN is the pattern in this case, if you will). On the other hand, added code checks if CN_match contains asterisk and if so, it does 'limited-wildcard-match' of REMOTE CN against CN_match pattern. The original version 'could' be enough if you are only considering PHP as a SSL client. Now, what I am trying to achieve is a whole standalone application server written in PHP. That is, whole forking/process management etc stuff. And I would like to set it up like this: - it has a SSL listening socket - set CN_match for listening socket to '*.example.org' - create listening socket with stream_socket_server All above in order to accept connections only from clients which present themselves with appropriate certificate (based on cacert check which works OK) and appropriate CN. To illustrate the desired functionality: - CNs host1.example.org and host2.example.org are OK, - but not CN host3.otherdomain.org, even if it presents a certificate from the same CA as the two above. Was I clear enough now? :) b. PS: I've just discovered another issue. In the context of creating listening socket with stream_socket_create, again. If a preceeding SSL client has introduced itself with client certificate, and the current client does not, the [ssl][peer_certificate] of the new socket's context options still contains a reference to a resource of preceeding client's certificate. Later, subsequent client connections without certificate do not exhibit the same behaviour. If the pattern reoccurs (... ---> client-with-cert ---> followed by client-without-cert), the story repeats. There is also a memory leak in this - when I looped the client to establish hundreds of sequential SSL connections, the residental memory footprint of php server process was ever increasing. When I switched my App server to HTTP protocol and repeated the test the memory leak was not present anymore. And I did openssl_x509_free() call on peer_certificate resource upon client disconnect. On 21 February 2010 00:05, Pierre Joye <pierre....@gmail.com> wrote: > hi, > > Is it not suppose to work already? As your patch basically does what > is done earlier in the code if match fails. If there is a bug in this > area, we should fix instead of adding the same thing later :) > > I will check this issue next week. > > Btw, there is no chance to get this in 5.2.13 or 5.3.2 at this stage, > it is too late in the process. > > Thanks for your work! > > Cheers, > > On Sat, Feb 20, 2010 at 8:56 PM, Bostjan Skufca <bost...@a2o.si> wrote: >> Hi! >> >> I've created a patch that enables PHP to do "limited wildcard >> matching" if CN_match option in stream context is specified as >> '*.example.org'. >> Also I have filled a bug report for this, here: >> http://bugs.php.net/bug.php?id=51100 >> >> Patch is here: >> http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff >> >> It was made against 5.2.12 but I checked it with SVN: >> - for 5.2 branch the offset is only +6 lines >> - for trunk it is cca +800 lines >> >> Can you include it in 5.2.13 release and 5.3? I know the former is >> already in RC stage but this does can't break anything I believe. >> >> Best regards, >> b. >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > > > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
