Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69225 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72551 invoked from network); 19 Sep 2013 06:49:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2013 06:49:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.49 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 74.125.83.49 mail-ee0-f49.google.com Received: from [74.125.83.49] ([74.125.83.49:54397] helo=mail-ee0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5D/67-29009-86E9A325 for ; Thu, 19 Sep 2013 02:49:13 -0400 Received: by mail-ee0-f49.google.com with SMTP id d41so3894926eek.22 for ; Wed, 18 Sep 2013 23:49:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QFG2QLLG3wDU9YALiM9vsJhh78UqvcU7rQIBIQEM4/8=; b=T4yg8hXNZwUhlmU4xYOtQaRvsuqQvQgHANxByOi67QqC3nRf5r+XrNa/o6eg0JyWQw F08wQnfn46gc/FEZaGKqLnQKMfZILp+DhQ7+YjChTB1Ac0Xvl6DCjVMlAectKH6rQDfq lPeUFngelbcJFR9RbuCT6DYyGtJq/6JMllOB980fBjeNbxICbNpyNcw6fBJI2n9F+IrY XHRQVBaKnfaEONdbyNmMErpbf0O/xFmr2R0hL9v/FuRk3/eF9eN1MaBmaitjo9NOh0UR KkIEC8Hzt3xaibdGA4BtfmIR3dR2+olwAOA7j6YH1/qUuCXUFNrRn8WtPMA0e4MEqe7w rG9w== MIME-Version: 1.0 X-Received: by 10.15.91.3 with SMTP id r3mr143423eez.4.1379573349533; Wed, 18 Sep 2013 23:49:09 -0700 (PDT) Received: by 10.223.199.129 with HTTP; Wed, 18 Sep 2013 23:49:09 -0700 (PDT) In-Reply-To: <523A987B.3040506@rotorised.com> References: <523A466C.4070903@gmail.com> <523A987B.3040506@rotorised.com> Date: Thu, 19 Sep 2013 02:49:09 -0400 Message-ID: To: Ryan McCue Cc: Tjerk Anne Meesters , =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= , johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e016354b670ebee04e6b6f379 Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: rdlowrey@gmail.com (Daniel Lowrey) --089e016354b670ebee04e6b6f379 Content-Type: text/plain; charset=ISO-8859-1 > To be clear, I *don't* mean SNI, I mean subjectAltName (SAN) validation. Ah, apologies for the SNI/SAN confusion. However, I still cannot reproduce this failure when verifying peers with certs utilizing the SAN extension. Could you supply a code snippet demonstrating this failure? On Thu, Sep 19, 2013 at 2:23 AM, Ryan McCue wrote: > Daniel Lowrey wrote: > > This is incorrect. PHP has supported both the "SNI_enabled" and > > "SNI_server_name" > > SSL context options since 5.3. Anything older than 5.3 is not remotely > > worth worrying over. You can verify this for yourself using the following > > code: > > To be clear, I *don't* mean SNI, I mean subjectAltName (SAN) validation. > > The common name field (CN) contains the domain name for normal > certificates, but you can have more than one domain per certificate. If > you do that, it's stored in the subjectAltName (SAN) field. PHP only > parses the CN, not the SAN, so any domain that isn't the main domain in > the CN will fail. > > As per RFC 2818 (http://tools.ietf.org/html/rfc2818#section-3.1): > > > If a subjectAltName extension of type dNSName is present, that MUST > > be used as the identity. Otherwise, the (most specific) Common Name > > field in the Subject field of the certificate MUST be used. Although > > the use of the Common Name is existing practice, it is deprecated and > > Certification Authorities are encouraged to use the dNSName instead. > > > -- > Ryan McCue > > --089e016354b670ebee04e6b6f379--