Debian Bug report logs - #759501
php5: TLS/SSL connections do not honour the SubjectAltName within certificates

version graph

Package: php5-common; Maintainer for php5-common is (unknown);

Reported by: Andre Klärner <kandre@ak-online.be>

Date: Wed, 27 Aug 2014 19:36:01 UTC

Severity: normal

Tags: moreinfo, upstream

Found in version php5/5.6.0~rc4+dfsg-4

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.php.net/bug.php?id=68265

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#759501; Package php5-common. (Wed, 27 Aug 2014 19:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Andre Klärner <kandre@ak-online.be>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 27 Aug 2014 19:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andre Klärner <kandre@ak-online.be>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: TLS/SSL connections do not honour the SubjectAltName within certificates
Date: Wed, 27 Aug 2014 21:16:33 +0200
Package: php5-common
Version: 5.6.0~rc4+dfsg-4
Severity: normal
Tags: upstream

Dear Maintainer,

as PHP5.6 enabled peer verification by default I noticed that the
verification does not account the Subject Alternative Names within the
certificate. Upstream knows already a bug to this:
  Bug #55236	Can't open a connection via TLS

The problem get noticeable, when you try to connect to an SSL secured
service via fsockopen() and the hostname used to connect is differing
from the certificates Common Name. Take this example:

kandre@mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect smtp.live.com:587 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.hotmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---

Openssl is properly verifying the certificate and comes to the
conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject
Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com,
DNS:hotmail.com is valid for smtp.live.com, but php fails to do so.

This could break any application that connects to a SSL secured service
where the connection hostname is not directly within the CommonName
field. From my perspective there is no workaround available except
changing the hostname to connect to into one that is mentioned in the
common name, which fails for the mentioned example, as Microsoft is
(seemingly) not offering any alternative hostname.

Thanks and kind regards,
Andre


-- Package-specific info:
==== Additional PHP 5 information ====

++++ PHP 5 SAPI (php5query -S): ++++
cli
apache2

++++ PHP 5 Extensions (php5query -M -v): ++++
opcache (Enabled for cli by maintainer script)
opcache (Enabled for apache2 by maintainer script)
readline (Enabled for cli by maintainer script)
readline (Enabled for apache2 by maintainer script)
yaml (Enabled for cli by local administrator)
yaml (Enabled for apache2 by local administrator)
pdo (Enabled for cli by maintainer script)
pdo (Enabled for apache2 by maintainer script)
json (Enabled for cli by maintainer script)
json (Enabled for apache2 by maintainer script)

++++ Configuration files: ++++
**** /etc/php5/mods-available/pdo.ini ****
extension=pdo.so

**** /etc/php5/mods-available/opcache.ini ****
zend_extension=opcache.so


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
ii  libapache2-mod-php5  5.6.0~rc4+dfsg-4
ii  php5-common          5.6.0~rc4+dfsg-4

php5 recommends no packages.

php5 suggests no packages.

Versions of packages php5-common depends on:
ii  libc6   2.19-9
ii  lsof    4.86+dfsg-1
ii  psmisc  22.21-2
ii  sed     4.2.2-4
ii  ucf     3.0030

Versions of packages php5-common suggests:
pn  php5-user-cache  <none>

-- no debconf information

Set Bug forwarded-to-address to 'https://bugs.php.net/bug.php?id=55236'. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Thu, 28 Aug 2014 09:12:05 GMT) (full text, mbox, link).

Unset Bug forwarded-to-address Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Thu, 28 Aug 2014 12:51:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#759501; Package php5-common. (Thu, 28 Aug 2014 12:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 28 Aug 2014 12:54:05 GMT) (full text, mbox, link).

Message #14 received at 759501@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: Andre Klärner <kandre@ak-online.be>, 759501@bugs.debian.org
Subject: Re: [php-maint] Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates
Date: Thu, 28 Aug 2014 14:50:18 +0200
Control: tags -1 +moreinfo

Andre,

I am afraid you will need to provide a test case, since I am not able
to reproduce your problem with my SNI subAltName cert:

<?php

// should work...
$conn = fsockopen("tls://deb.sury.org:443");

// this should not work, but works...
$conn = fsockopen("tls://sury.org:443");

?>

works like expected.

And the used certificate matches your use case:

[...]
        Subject: description=7hl6z4SJ5DXjO6a5, C=CZ,
        CN=deb.sury.org/emailAddress=f45c5fa85f3aa1c242afbabf6f49ceb348318220@whois.gkg.net
[...]
            X509v3 Subject Alternative Name: 
                DNS:deb.sury.org, DNS:sury.org
[...]

Please provide a clear PHP test case that can reproduce your problem.

Cheers,
Ondrej

On Wed, Aug 27, 2014, at 21:16, Andre Klärner wrote:
> Package: php5-common
> Version: 5.6.0~rc4+dfsg-4
> Severity: normal
> Tags: upstream
> 
> Dear Maintainer,
> 
> as PHP5.6 enabled peer verification by default I noticed that the
> verification does not account the Subject Alternative Names within the
> certificate. Upstream knows already a bug to this:
>   Bug #55236      Can't open a connection via TLS
> 
> The problem get noticeable, when you try to connect to an SSL secured
> service via fsockopen() and the hostname used to connect is differing
> from the certificates Common Name. Take this example:
> 
> kandre@mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect
> smtp.live.com:587 -CApath /etc/ssl/certs
> CONNECTED(00000003)
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
> CA
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
> Validation CA - G2
> verify return:1
> depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation,
> CN = *.hotmail.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
>  Corporation/CN=*.hotmail.com
>    i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>    G2
>  1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
>  G2
>    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> ---
> 
> Openssl is properly verifying the certificate and comes to the
> conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject
> Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com,
> DNS:hotmail.com is valid for smtp.live.com, but php fails to do so.
> 
> This could break any application that connects to a SSL secured service
> where the connection hostname is not directly within the CommonName
> field. From my perspective there is no workaround available except
> changing the hostname to connect to into one that is mentioned in the
> common name, which fails for the mentioned example, as Microsoft is
> (seemingly) not offering any alternative hostname.
> 
> Thanks and kind regards,
> Andre
> 
> 
> -- Package-specific info:
> ==== Additional PHP 5 information ====
> 
> ++++ PHP 5 SAPI (php5query -S): ++++
> cli
> apache2
> 
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> opcache (Enabled for cli by maintainer script)
> opcache (Enabled for apache2 by maintainer script)
> readline (Enabled for cli by maintainer script)
> readline (Enabled for apache2 by maintainer script)
> yaml (Enabled for cli by local administrator)
> yaml (Enabled for apache2 by local administrator)
> pdo (Enabled for cli by maintainer script)
> pdo (Enabled for apache2 by maintainer script)
> json (Enabled for cli by maintainer script)
> json (Enabled for apache2 by maintainer script)
> 
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/pdo.ini ****
> extension=pdo.so
> 
> **** /etc/php5/mods-available/opcache.ini ****
> zend_extension=opcache.so
> 
> 
> -- System Information:
> Debian Release: jessie/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
>   'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages php5 depends on:
> ii  libapache2-mod-php5  5.6.0~rc4+dfsg-4
> ii  php5-common          5.6.0~rc4+dfsg-4
> 
> php5 recommends no packages.
> 
> php5 suggests no packages.
> 
> Versions of packages php5-common depends on:
> ii  libc6   2.19-9
> ii  lsof    4.86+dfsg-1
> ii  psmisc  22.21-2
> ii  sed     4.2.2-4
> ii  ucf     3.0030
> 
> Versions of packages php5-common suggests:
> pn  php5-user-cache  <none>
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Added tag(s) moreinfo. Request was from Ondřej Surý <ondrej@sury.org> to 759501-submit@bugs.debian.org. (Thu, 28 Aug 2014 12:54:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#759501; Package php5-common. (Thu, 28 Aug 2014 18:12:15 GMT) (full text, mbox, link).

Acknowledgement sent to Andre Klärner <kandre@ak-online.be>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 28 Aug 2014 18:12:15 GMT) (full text, mbox, link).

Message #21 received at 759501@bugs.debian.org (full text, mbox, reply):

From: Andre Klärner <kandre@ak-online.be>
To: Ondřej Surý <ondrej@sury.org>
Cc: 759501@bugs.debian.org
Subject: Re: [php-maint] Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates
Date: Thu, 28 Aug 2014 19:25:20 +0200
[Message part 1 (text/plain, inline)]
Hi Ondřej,

I attached an example script that demonstrates the issue. Feel free to run
tests against my server. Please note that I use CAcert.org certificates, so
make sure you provide the root certificates for CAcert.org to PHP (example
included)

The output on my machines is:
kandre@mainframe(pts/14) ~ % ./ssl-test-debs.php
trying to connect to ssl://debs.ak-online.be
PHP Warning:  fsockopen(): Peer certificate CN=`debs.ak-online.net' did not match expected CN=`debs.ak-online.be' in /media/Jen/kandre/ssl-test-debs.php on line 8
 PHP Warning:  fsockopen(): Failed to enable crypto in /media/Jen/kandre/ssl-test-debs.php on line 8
PHP Warning:  fsockopen(): unable to connect to ssl://debs.ak-online.be:993 (Unknown error) in /media/Jen/kandre/ssl-test-debs.php on line 8 (0)
trying to connect to ssl://debs.ak-online.net
connection succeeded

Kind regards,
Andre

-- 
Andre Klärner

[ssl-test-debs.php (text/plain, attachment)]
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#759501; Package php5-common. (Sun, 19 Oct 2014 13:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 19 Oct 2014 13:03:04 GMT) (full text, mbox, link).

Message #26 received at 759501@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: Andre Klärner <kandre@ak-online.be>
Cc: 759501@bugs.debian.org
Subject: Re: [php-maint] Bug#759501: Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates
Date: Sun, 19 Oct 2014 14:59:14 +0200
Control: forwarded -1 https://bugs.php.net/bug.php?id=68265

Andre,

thank you for the test case, I have successfully repeated your problem
in PHP 5.6.2 and forwarded the issue to the upstream. Hopefully they
will fix it before the final Debian release. Sorry it took so long, I
just didn't have enough time.

Cheers,
Ondrej

On Thu, Aug 28, 2014, at 19:25, Andre Klärner wrote:
> Hi Ondřej,
> 
> I attached an example script that demonstrates the issue. Feel free to
> run
> tests against my server. Please note that I use CAcert.org certificates,
> so
> make sure you provide the root certificates for CAcert.org to PHP
> (example
> included)
> 
> The output on my machines is:
> kandre@mainframe(pts/14) ~ % ./ssl-test-debs.php
> trying to connect to ssl://debs.ak-online.be
> PHP Warning:  fsockopen(): Peer certificate CN=`debs.ak-online.net' did
> not match expected CN=`debs.ak-online.be' in
> /media/Jen/kandre/ssl-test-debs.php on line 8
>  PHP Warning:  fsockopen(): Failed to enable crypto in
>  /media/Jen/kandre/ssl-test-debs.php on line 8
> PHP Warning:  fsockopen(): unable to connect to
> ssl://debs.ak-online.be:993 (Unknown error) in
> /media/Jen/kandre/ssl-test-debs.php on line 8 (0)
> trying to connect to ssl://debs.ak-online.net
> connection succeeded
> 
> Kind regards,
> Andre
> 
> -- 
> Andre Klärner
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 2 attachments:
> + ssl-test-debs.php
>   1k (text/plain)
> + smime.p7s
>   6k (application/x-pkcs7-signature)


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Set Bug forwarded-to-address to 'https://bugs.php.net/bug.php?id=68265'. Request was from Ondřej Surý <ondrej@sury.org> to 759501-submit@bugs.debian.org. (Sun, 19 Oct 2014 13:03:04 GMT) (full text, mbox, link).

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Wed, 27 Jan 2016 11:03:10 GMT) (full text, mbox, link).

Notification sent to Andre Klärner <kandre@ak-online.be>:
Bug acknowledged by developer. (Wed, 27 Jan 2016 11:03:10 GMT) (full text, mbox, link).

Message #33 received at 759501-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: Andre Klärner <kandre@ak-online.be>
Cc: 759501-done@bugs.debian.org
Subject: Re: [php-maint] Bug#759501: Bug#759501: php5: TLS/SSL connections do not honour the SubjectAltName within certificates
Date: Wed, 27 Jan 2016 11:58:48 +0100
Version: php5/5.6.7+dfsg-1

Fixed upstream quite a long time ago.

-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

On Sun, Oct 19, 2014, at 13:59, Ondřej Surý wrote:
> Control: forwarded -1 https://bugs.php.net/bug.php?id=68265
> 
> Andre,
> 
> thank you for the test case, I have successfully repeated your problem
> in PHP 5.6.2 and forwarded the issue to the upstream. Hopefully they
> will fix it before the final Debian release. Sorry it took so long, I
> just didn't have enough time.
> 
> Cheers,
> Ondrej
> 
> On Thu, Aug 28, 2014, at 19:25, Andre Klärner wrote:
> > Hi Ondřej,
> > 
> > I attached an example script that demonstrates the issue. Feel free to
> > run
> > tests against my server. Please note that I use CAcert.org certificates,
> > so
> > make sure you provide the root certificates for CAcert.org to PHP
> > (example
> > included)
> > 
> > The output on my machines is:
> > kandre@mainframe(pts/14) ~ % ./ssl-test-debs.php
> > trying to connect to ssl://debs.ak-online.be
> > PHP Warning:  fsockopen(): Peer certificate CN=`debs.ak-online.net' did
> > not match expected CN=`debs.ak-online.be' in
> > /media/Jen/kandre/ssl-test-debs.php on line 8
> >  PHP Warning:  fsockopen(): Failed to enable crypto in
> >  /media/Jen/kandre/ssl-test-debs.php on line 8
> > PHP Warning:  fsockopen(): unable to connect to
> > ssl://debs.ak-online.be:993 (Unknown error) in
> > /media/Jen/kandre/ssl-test-debs.php on line 8 (0)
> > trying to connect to ssl://debs.ak-online.net
> > connection succeeded
> > 
> > Kind regards,
> > Andre
> > 
> > -- 
> > Andre Klärner
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint@lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> > Email had 2 attachments:
> > + ssl-test-debs.php
> >   1k (text/plain)
> > + smime.p7s
> >   6k (application/x-pkcs7-signature)
> 
> 
> -- 
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 25 Feb 2016 07:25:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:47:37 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.