Last modified: 2014-11-09 17:03:08 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T75199, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 73199 - PhpHttpRequest should not check host against CN x509 attribute


Summary:	PhpHttpRequest should not check host against CN x509 attribute

Status:	NEW

Product:	MediaWiki
Classification:	Unclassified
Component:	General/Unknown (Other open bugs)
Version:	1.25-git
Hardware:	All All

Importance:	Unprioritized normal (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	53131
	Show dependency tree / graph

Reported:	2014-11-09 16:18 UTC by Seb35
Modified:	2014-11-09 17:03 UTC (History)
CC List:	0 users

See Also:	68581
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Seb35 2014-11-09 16:18:42 UTC

In the class PhpHttpRequest (file includes/HttpFunctions.php, used when CURL is not installed), the option 'sslVerifyHost' is translated by checking the 'CN' x509 attribute against the host, which is now deprecated with x509 certificate v3 with subjectAltName and this avoid the operation although it was correct.

In particular, this can be observed with `$wgInstantCommons = true' on an HTTPS wiki without php-curl installed, because the commons.wikimedia.org certificate has a CN attribute *.wikipedia.org and commons.wikimedia.org is only in the subjectAltName attribute.

Comment 1 Seb35 2014-11-09 16:24:43 UTC

Adding this as a (soft) blocker of bug 53131 since it will lead to problems for people without CURL.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links