/** * Test a certificate with both CN and SAN fields * * As per RFC2818, if the SAN field exists, we should parse that and ignore * the value of the CN field. * * @link http://tools.ietf.org/html/rfc2818#section-3.1 */ public function testIgnoreCNWithSAN() { $certificate = $this->fakeCertificate('example.net', 'example.com'); $this->assertTrue(Requests_SSL::verify_certificate('example.com', $certificate), 'Checking SAN validation'); $this->assertFalse(Requests_SSL::verify_certificate('example.net', $certificate), 'Checking CN non-validation'); }
/** * Verify the certificate against common name and subject alternative names * * Unfortunately, PHP doesn't check the certificate against the alternative * names, leading things like 'https://www.github.com/' to be invalid. * Instead * * @see http://tools.ietf.org/html/rfc2818#section-3.1 RFC2818, Section 3.1 * * @throws Requests_Exception On failure to connect via TLS (`fsockopen.ssl.connect_error`) * @throws Requests_Exception On not obtaining a match for the host (`fsockopen.ssl.no_match`) * @param string $host Host name to verify against * @param resource $context Stream context * @return bool */ public function verify_certificate_from_context($host, $context) { $meta = stream_context_get_options($context); // If we don't have SSL options, then we couldn't make the connection at // all if (empty($meta) || empty($meta['ssl']) || empty($meta['ssl']['peer_certificate'])) { throw new Requests_Exception(rtrim($this->connect_error), 'ssl.connect_error'); } $cert = openssl_x509_parse($meta['ssl']['peer_certificate']); return Requests_SSL::verify_certificate($host, $cert); }