Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:47006
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.223 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
        b=l6vnFbmnVjN3hwlasVqDmUK/AsmLVbgMe4U6+6WzVmjEhJP7O6LSeaR3IUnAUQAkM+
         EBPyZpZKHg5o9UzZCTR3D062t6+ElBx+48UpAJiCSFuyMJ67C5hK39eFyP8bhLaNRhEb
         P/I46+hKgoqgBf5/zsYFFVMp6sXL4XdBkP57o=
MIME-Version: 1.0
Sender: bostjan.skufca.work@gmail.com
In-Reply-To: <fe05d1541002201505y4de139cbidb67ba389a35a051@mail.gmail.com>
References: <7b9883441002201156i462221ccked6f1c0aa0b49b56@mail.gmail.com>
	 <fe05d1541002201505y4de139cbidb67ba389a35a051@mail.gmail.com>
Date: Sun, 21 Feb 2010 01:45:10 +0100
Message-ID: <7b9883441002201645u70965031jb7fd3098324a00db@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: internals@lists.php.net, wez@php.net, kingwez@gmail.com, pajoye@php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Patch for ext/openssl to support CN_match with asterisk
From: bostjan@a2o.si (Bostjan Skufca)

The patch includes code which is very similar but it's functionality
goes just the other way around.

The original code takes remote CN and if that contains asterisk, it
tries to 'limited-wildcard-match' of CN_match against remote CN
(remote CN is the pattern in this case, if you will).

On the other hand, added code checks if CN_match contains asterisk and
if so, it does 'limited-wildcard-match' of REMOTE CN against CN_match
pattern.


The original version 'could' be enough if you are only considering PHP
as a SSL client.


Now, what I am trying to achieve is a whole standalone application
server written in PHP. That is, whole forking/process management etc
stuff. And I would like to set it up like this:
- it has a SSL listening socket
- set CN_match for listening socket to '*.example.org'
- create listening socket with stream_socket_server
All above in order to accept connections only from clients which
present themselves with appropriate certificate (based on cacert check
which works OK) and appropriate CN.

To illustrate the desired functionality:
- CNs host1.example.org and host2.example.org are OK,
- but not CN host3.otherdomain.org, even if it presents a certificate
from the same CA as the two above.


Was I clear enough now? :)
b.



PS: I've just discovered another issue. In the context of creating
listening socket with stream_socket_create, again.

If a preceeding SSL client has introduced itself with client
certificate, and the current client does not, the
[ssl][peer_certificate] of the new socket's context options still
contains a reference to a resource of preceeding client's certificate.
Later, subsequent client connections without certificate do not
exhibit the same behaviour.
If the pattern reoccurs (... ---> client-with-cert  ---> followed by
client-without-cert), the story repeats.

There is also a memory leak in this - when I looped the client to
establish hundreds of sequential SSL connections, the residental
memory footprint of php server process was ever increasing. When I
switched my App server to HTTP protocol and repeated the test the
memory leak was not present anymore. And I did openssl_x509_free()
call on peer_certificate resource upon client disconnect.





On 21 February 2010 00:05, Pierre Joye <pierre.php@gmail.com> wrote:
> hi,
>
> Is it not suppose to work already? As your patch basically does what
> is done earlier in the code if match fails. If there is a bug in this
> area, we should fix instead of adding the same thing later :)
>
> I will check this issue next week.
>
> Btw, there is no chance to get this in 5.2.13 or 5.3.2 at this stage,
> it is too late in the process.
>
> Thanks for your work!
>
> Cheers,
>
> On Sat, Feb 20, 2010 at 8:56 PM, Bostjan Skufca <bostjan@a2o.si> wrote:
>> Hi!
>>
>> I've created a patch that enables PHP to do "limited wildcard
>> matching" if CN_match option in stream context is specified as
>> '*.example.org'.
>> Also I have filled a bug report for this, here:
>> http://bugs.php.net/bug.php?id=51100
>>
>> Patch is here:
>> http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff
>>
>> It was made against 5.2.12 but I checked it with SVN:
>> - for 5.2 branch the offset is only +6 lines
>> - for trunk it is cca +800 lines
>>
>> Can you include it in 5.2.13 release and 5.3? I know the former is
>> already in RC stage but this does can't break anything I believe.
>>
>> Best regards,
>> b.
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
>
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>