Package: php5-common Version: 5.6.0~rc4+dfsg-4 Severity: normal Tags: upstream
Dear Maintainer, as PHP5.6 enabled peer verification by default I noticed that the verification does not account the Subject Alternative Names within the certificate. Upstream knows already a bug to this: Bug #55236 Can't open a connection via TLS The problem get noticeable, when you try to connect to an SSL secured service via fsockopen() and the hostname used to connect is differing from the certificates Common Name. Take this example: kandre@mainframe(pts/12) ~ % openssl s_client -starttls smtp -connect smtp.live.com:587 -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2 verify return:1 depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *.hotmail.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA --- Openssl is properly verifying the certificate and comes to the conclusion, that the certificate CN=*.hotmail.com,X509v3 Subject Alternative Name: DNS:*.hotmail.com, DNS:*.live.com, DNS:*.outlook.com, DNS:hotmail.com is valid for smtp.live.com, but php fails to do so. This could break any application that connects to a SSL secured service where the connection hostname is not directly within the CommonName field. From my perspective there is no workaround available except changing the hostname to connect to into one that is mentioned in the common name, which fails for the mentioned example, as Microsoft is (seemingly) not offering any alternative hostname. Thanks and kind regards, Andre -- Package-specific info: ==== Additional PHP 5 information ==== ++++ PHP 5 SAPI (php5query -S): ++++ cli apache2 ++++ PHP 5 Extensions (php5query -M -v): ++++ opcache (Enabled for cli by maintainer script) opcache (Enabled for apache2 by maintainer script) readline (Enabled for cli by maintainer script) readline (Enabled for apache2 by maintainer script) yaml (Enabled for cli by local administrator) yaml (Enabled for apache2 by local administrator) pdo (Enabled for cli by maintainer script) pdo (Enabled for apache2 by maintainer script) json (Enabled for cli by maintainer script) json (Enabled for apache2 by maintainer script) ++++ Configuration files: ++++ **** /etc/php5/mods-available/pdo.ini **** extension=pdo.so **** /etc/php5/mods-available/opcache.ini **** zend_extension=opcache.so -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages php5 depends on: ii libapache2-mod-php5 5.6.0~rc4+dfsg-4 ii php5-common 5.6.0~rc4+dfsg-4 php5 recommends no packages. php5 suggests no packages. Versions of packages php5-common depends on: ii libc6 2.19-9 ii lsof 4.86+dfsg-1 ii psmisc 22.21-2 ii sed 4.2.2-4 ii ucf 3.0030 Versions of packages php5-common suggests: pn php5-user-cache <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
