CN_match works contrary to intuitive thinking. I came across this when I was developing SSL server implemented in PHP. I stated (in code):
- do not allow self signed certs (works)
- verify peer certs against CA cert (works)
- verify the client's CN against CN_match (does not work), like this:
stream_context_set_option($context, 'ssl', 'CN_match', '*.example.org');
I presumed this would match any client with CN below .example.org domain.
Unfortunately this is NOT the case. The option above does not do that.
What it really does is this:
- it takes client's CN and compares it to CN_match
- IF CLIENT's CN CONTAINS AN ASTERISK like *.example.org, then it is matched against CN_match in wildcard matching fashion
Examples to illustrate behaviour:
(CNM = server's CN_match)
(CCN = client's CN)
- CNM=host.example.org, CCN=host.example.org ---> OK
- CNM=host.example.org, CCN=*.example.org ---> OK
- CNM=.example.org, CCN=*.example.org ---> OK
- CNM=example.org, CCN=*.example.org ---> ERROR
- CNM=*.example.org, CCN=host.example.org ---> ERROR
- CNM=*.example.org, CCN=*.example.org ---> OK
According to PHP sources I believe that the same applies if you are trying to act as Client and the server contains a wildcard certificate. If you set CN_match to myserver.example.org and server presents itself with *.example.org, the connection is allowed.
Everything above applies to PHP version 5.2.12.
I will supply a patch to support CN_match starting with asterisk.
گزینههای متنSSL
گزینههای متنSSL — فهرست گزینههای متن SSL
Description
گزینههای متن برای انتقالات ssl:// و tls://.
Changelog
| Version | Description |
|---|---|
| 5.3.2 | SNI_enabled و SNI_server_name اضافه شد. |
| 5.0.0 | capture_peer_cert٬ capture_peer_chain و ciphers را اضافه نمود. |
Notes
Note: بدلیل زیرساختار بودن ssl:// برای پوشانندههای https:// و ftps:// هر گزینه متن برای ssl:// در مورد https:// و ftps:// نیز صادق است.
Note: برای SNI (Server Name Indication) PHPباید به همراه OpenSSL 0.9.8j یا بالاتر کلامپایل شده باشد. از OPENSSL_TLSEXT_SERVER_NAME برای تعیین پشتیبانی از SNI استفاده کنید.
add a note
User Contributed Notes 4 notes
Botjan kufca ¶
5 years ago
borbas dot geri at gmail dot com ¶
1 year ago
I used this for Apple Push Notification Service.
Passed in a local certificate filename `cert.pem` trough local_cert option.
Worked fine, when invoked the script directly.
But when I included/required the script from a different location, it stopped working, without any explicit error message.
Resolved by passed in the full path for the file `<FullPathTo>cert.pem`.
Fabien Mnager ¶
2 days ago
This page is missing a lot of the possible options, I had to go in the PHP core source code to see options not listed here :
Here are the ones missing :
* local_pk
* SNI_server_certs
* no_ticket
* Maybe others not in this file.
