Revision: 3205
Author: olavmrk
Date: Thu Nov 22 00:03:28 2012
Log: Utilities::fetch(): Workaround for SSL SNI extension not being
correctly set.
See: https://bugs.php.net/bug.php?id=63519
Thanks to Marco Ferrante for implementing this workaround!
http://code.google.com/p/simplesamlphp/source/detail?r=3205
Modified:
/trunk/lib/SimpleSAML/Utilities.php
=======================================
--- /trunk/lib/SimpleSAML/Utilities.php Fri May 4 01:03:01 2012
+++ /trunk/lib/SimpleSAML/Utilities.php Thu Nov 22 00:03:28 2012
@@ -2171,6 +2171,30 @@
if (!isset($context['http']['request_fulluri'])) {
$context['http']['request_fulluri'] = TRUE;
}
+ // If the remote endpoint over HTTPS uses the SNI
extension
+ // (Server Name Indication RFC 4366), the proxy could
+ // introduce a mismatch between the names in the
+ // Host: HTTP header and the SNI_server_name in TLS
+ // negotiation (thanks to Cristiano Valli @ GARR-IDEM
+ // to have pointed this problem).
+ // See: https://bugs.php.net/bug.php?id=63519
+ // These controls will force the same value for both
fields.
+ // Marco Ferrante (ma...@csita.unige.it), Nov 2012
+ if (preg_match('#^https#i', $path)
+ && defined('OPENSSL_TLSEXT_SERVER_NAME')
+ && OPENSSL_TLSEXT_SERVER_NAME) {
+ // Extract the hostname
+ $hostname = parse_url($path, PHP_URL_HOST);
+ if (!empty($hostname)) {
+ $context['ssl'] = array(
+ 'SNI_server_name' => $hostname,
+ 'SNI_enabled' => TRUE,
+ );
+ }
+ else {
+ SimpleSAML_Logger::warning('Invalid URL format or local URL used
through a proxy');
+ }
+ }
}
$context = stream_context_create($context);
--
You received this message because you are subscribed to the Google Groups
"simpleSAMLphp commits" group.
To post to this group, send email to simplesamlphp-commits@googlegroups.com.
To unsubscribe from this group, send email to
simplesamlphp-commits+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/simplesamlphp-commits?hl=en.
