Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/234928
Change subject: Workaround fopen lack of SubjectAltName support for instantCommons ...................................................................... Workaround fopen lack of SubjectAltName support for instantCommons Hacky work around, where on php < 5.6.0 where SubjectAltName is not supported, if a request to commons.wikimedia.org fails, retry the request but telling php fopen wrapper to treat it as if it came from en.wikipedia.org for validation purposes, since as of c02fab71422a that's what the common name of the cert will be. In the ideal world, everyone would just have curl installed. I know this is super hacky, but I'd really like instant commons to work out of the box even without curl installed. Note: I'm basing the php 5.6 part on documentation, I have not tested this with a copy of that version of php. Bug: T75199 Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f (cherry picked from commit bb2adc239410563eeddd6f9017b62187c859fed6) --- M includes/HttpFunctions.php 1 file changed, 20 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/28/234928/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 1fd437e..fd3a72f 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -883,7 +883,13 @@ } if ( $this->sslVerifyHost ) { - $options['ssl']['CN_match'] = $this->parsedUrl['host']; + // PHP 5.6.0 deprecates CN_match, in favour of peer_name which + // actually checks SubjectAltName properly. + if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) { + $options['ssl']['peer_name'] = $this->parsedUrl['host']; + } else { + $options['ssl']['CN_match'] = $this->parsedUrl['host']; + } } if ( is_dir( $this->caInfo ) ) { @@ -909,6 +915,19 @@ wfRestoreWarnings(); if ( !$fh ) { + // HACK for instant commons. + // If we are contacting (commons|upload).wikimedia.org + // try again with CN_match for en.wikipedia.org + // as php does not handle SubjectAltName properly + // prior to "peer_name" option in php 5.6 + if ( isset( $options['ssl']['CN_match'] ) + && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org' + || $options['ssl']['CN_match'] === 'upload.wikimedia.org' ) + ) { + $options['ssl']['CN_match'] = 'en.wikipedia.org'; + $context = stream_context_create( $options ); + continue; + } break; } -- To view, visit https://gerrit.wikimedia.org/r/234928 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_23 Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org> Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits