Brian Wolff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/222086
Change subject: Workaround fopen lack of SubjectAltName support for
instantCommons
......................................................................
Workaround fopen lack of SubjectAltName support for instantCommons
Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
---
M includes/HttpFunctions.php
1 file changed, 20 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/86/222086/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 825cd06..2029092 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -912,7 +912,13 @@
}
if ( $this->sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of
peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+ $options['ssl']['peer_name'] =
$this->parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] =
$this->parsedUrl['host'];
+ }
}
if ( is_dir( $this->caInfo ) ) {
@@ -943,6 +949,19 @@
MediaWiki\restoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting
(commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName
properly
+ // prior to "peer_name" option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+ && ( $options['ssl']['CN_match'] ===
'commons.wikimedia.org'
+ || $options['ssl']['CN_match']
=== 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] =
'en.wikipedia.org';
+ $context = stream_context_create(
$options );
+ continue;
+ }
break;
}
--
To view, visit https://gerrit.wikimedia.org/r/222086
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
