Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69224 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70389 invoked from network); 19 Sep 2013 06:23:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2013 06:23:57 -0000 Authentication-Results: pb1.pair.com header.from=lists@rotorised.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lists@rotorised.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain rotorised.com from 117.55.227.19 cause and error) X-PHP-List-Original-Sender: lists@rotorised.com X-Host-Fingerprint: 117.55.227.19 mta19-d1.ip1.cbr1.mail-filtering.com.au Received: from [117.55.227.19] ([117.55.227.19:8744] helo=mta19-d1.ip1.cbr1.mail-filtering.com.au) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/07-29009-8789A325 for ; Thu, 19 Sep 2013 02:23:53 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEDAGSXOlKva64TjGdsb2JhbABRCYM/wX+BIRYOAQEBJzyCJQEBBAF4AQULCw0BCgkQAgQPCQMCAQIBRQYNAQcBAYd5BQ26FY4lgUIHJwKDdQOZKoRtO45TgToeJA X-IPAS-Result: AgEDAGSXOlKva64TjGdsb2JhbABRCYM/wX+BIRYOAQEBJzyCJQEBBAF4AQULCw0BCgkQAgQPCQMCAQIBRQYNAQcBAYd5BQ26FY4lgUIHJwKDdQOZKoRtO45TgToeJA X-IronPort-AV: E=Sophos;i="4.90,934,1371045600"; d="scan'208";a="837436919" Received: from unknown (HELO ub005lcs09.cbr.the-server.net.au) ([175.107.174.19]) by smtp-data2.ironport1.cbr1.mail-filtering.com.au with ESMTP; 19 Sep 2013 16:23:49 +1000 Received: from 217.33.96.58.static.exetel.com.au ([58.96.33.217]:50714 helo=[192.168.1.238]) by ub005lcs09.cbr.the-server.net.au with esmtpa (Exim 4.80.1) (envelope-from ) id 1VMXeW-0008jo-4P; Thu, 19 Sep 2013 16:23:48 +1000 Message-ID: <523A987B.3040506@rotorised.com> Date: Thu, 19 Sep 2013 16:23:55 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: Daniel Lowrey CC: Tjerk Anne Meesters , =?ISO-8859-1?Q?=C1ngel_Gonz?= =?ISO-8859-1?Q?=E1lez?= , johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, "internals@lists.php.net" References: <523A466C.4070903@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: lists@rotorised.com (Ryan McCue) Daniel Lowrey wrote: > This is incorrect. PHP has supported both the "SNI_enabled" and > "SNI_server_name" > SSL context options since 5.3. Anything older than 5.3 is not remotely > worth worrying over. You can verify this for yourself using the following > code: To be clear, I *don't* mean SNI, I mean subjectAltName (SAN) validation. The common name field (CN) contains the domain name for normal certificates, but you can have more than one domain per certificate. If you do that, it's stored in the subjectAltName (SAN) field. PHP only parses the CN, not the SAN, so any domain that isn't the main domain in the CN will fail. As per RFC 2818 (http://tools.ietf.org/html/rfc2818#section-3.1): > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead. -- Ryan McCue