> If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead.
I have a working patch locally that adds SAN verification pursuant to RFC 2818 as outlined here (mentioned by Ryan): http://tools.ietf.org/html/rfc2818#section-3.1 Usage looks like this: ``` $ctx = stream_context_create(['ssl' => [ 'verify_peer' => TRUE, 'cafile' => '/path/to/cacert.pem', 'SAN_required' => TRUE, // default 'SAN_match' => 'www.github.com' 'CN_match' => 'www.github.com' ]]); $uri = 'https://www.github.com/'; file_get_contents($uri, FALSE, $ctx); ``` The patch is strict. I.E. it follows the spec and *will* fail your SSL negotiation attempt (with a descriptive error message to explain why) if the remote peer provided a list of SAN names and you didn't specify an `SN_match` stream context option. If no SAN dNSNames are supplied by the peer the routine will fallback to the CN_match if specified. This behavior is emphasized with a *MUST* in the RFC (meaning PHP's current implementation is NOT compliant). I'm happy to bring the default behavior into line with the spec but we need to determine if people are okay with making things secure by default. This seems like a no-brainer to me as IMHO security should be prioritized over simplicity: > *I consider this a bug* I understand that it's easier to code not verifying > the > peer, and the hostname may not be available when you are stacking ssl over a > stream. > But file_get_contents("https://...";) is *precisely* the case that should work > right > out of the box. ^^ This. Before I can fully/cleanly implement these changes we need to decide if PHP wants to move to a secure-by-default model for streams utilizing the built in encryption wrappers. Thoughts? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
