-
Notifications
You must be signed in to change notification settings - Fork 7.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate Authorities may issue certificates including IPv6 addresses except if they fall within addresses in the RFC 4193 range. Google and CloudFlare provide IPv6 addresses in their DNS over HTTPS services. Internal CAs do not have those restrictions and can issue Unique local addresses in certificates. Closes GH-11145
- Loading branch information
1 parent
06d6873
commit fd09728
Showing
3 changed files
with
116 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
--TEST-- | ||
IPv6 Peer verification matches SAN names | ||
--EXTENSIONS-- | ||
openssl | ||
--SKIPIF-- | ||
<?php | ||
if (!function_exists("proc_open")) die("skip no proc_open"); | ||
if (getenv("CI_NO_IPV6") || !defined("AF_INET6")) { | ||
die('skip no IPv6 support'); | ||
} | ||
if (@stream_socket_client('udp://[::1]:8888') === false) | ||
die('skip no IPv6 support'); | ||
?> | ||
--FILE-- | ||
<?php | ||
$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'san_ipv6_peer_matching.pem.tmp'; | ||
$san = 'IP:2001:db8:85a3:8d3:1319:8a2e:370:7348'; | ||
|
||
$serverCode = <<<'CODE' | ||
$serverUri = "ssl://[::1]:64324"; | ||
$serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; | ||
$serverCtx = stream_context_create(['ssl' => [ | ||
'local_cert' => '%s', | ||
]]); | ||
$server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); | ||
phpt_notify(); | ||
@stream_socket_accept($server, 1); | ||
@stream_socket_accept($server, 1); | ||
CODE; | ||
$serverCode = sprintf($serverCode, $certFile); | ||
|
||
$clientCode = <<<'CODE' | ||
$serverUri = "ssl://[::1]:64324"; | ||
$clientFlags = STREAM_CLIENT_CONNECT; | ||
$clientCtx = stream_context_create(['ssl' => [ | ||
'verify_peer' => false, | ||
]]); | ||
phpt_wait(); | ||
stream_context_set_option($clientCtx, 'ssl', 'peer_name', '2001:db8:85a3:8d3:1319:8a2e:370:7348'); | ||
var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx)); | ||
stream_context_set_option($clientCtx, 'ssl', 'peer_name', '2001:db8:85a3:8d3:1319:8a2e:370:7349'); | ||
var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx)); | ||
CODE; | ||
|
||
include 'CertificateGenerator.inc'; | ||
$certificateGenerator = new CertificateGenerator(); | ||
$certificateGenerator->saveNewCertAsFileWithKey(null, $certFile, null, $san); | ||
|
||
include 'ServerClientTestCase.inc'; | ||
ServerClientTestCase::getInstance()->run($clientCode, $serverCode); | ||
?> | ||
--CLEAN-- | ||
<?php | ||
@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'san_ipv6_peer_matching.pem.tmp'); | ||
?> | ||
--EXPECTF-- | ||
resource(%d) of type (stream) | ||
|
||
Warning: stream_socket_client(): Unable to locate peer certificate CN in %s on line %d | ||
|
||
Warning: stream_socket_client(): Failed to enable crypto in %s on line %d | ||
|
||
Warning: stream_socket_client(): Unable to connect to ssl://[::1]:64324 (Unknown error) in %s on line %d | ||
bool(false) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters