--TEST-- Bug #65729: CN_match gives false positive when wildcard is used --EXTENSIONS-- openssl --SKIPIF-- --FILE-- [ 'local_cert' => '%s' ]]); $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); phpt_notify(); $expected_names = ['foo.test.com.sg', 'foo.test.com', 'FOO.TEST.COM', 'foo.bar.test.com']; foreach ($expected_names as $name) { @stream_socket_accept($server, 1); } CODE; $serverCode = sprintf($serverCode, $certFile); $clientCode = <<<'CODE' $serverUri = "ssl://127.0.0.1:64321"; $clientFlags = STREAM_CLIENT_CONNECT; phpt_wait(); $expected_names = ['foo.test.com.sg', 'foo.test.com', 'FOO.TEST.COM', 'foo.bar.test.com']; foreach ($expected_names as $expected_name) { $clientCtx = stream_context_create(['ssl' => [ 'verify_peer' => true, 'peer_name' => $expected_name, 'cafile' => '%s', ]]); var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx)); } CODE; $clientCode = sprintf($clientCode, $cacertFile); include 'CertificateGenerator.inc'; $certificateGenerator = new CertificateGenerator(); $certificateGenerator->saveCaCert($cacertFile); $certificateGenerator->saveNewCertAsFileWithKey('*.test.com', $certFile); include 'ServerClientTestCase.inc'; ServerClientTestCase::getInstance()->run($clientCode, $serverCode); ?> --CLEAN-- --EXPECTF-- Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not match expected CN=`foo.test.com.sg' in %s on line %d Warning: stream_socket_client(): Failed to enable crypto in %s on line %d Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d bool(false) resource(%d) of type (stream) resource(%d) of type (stream) Warning: stream_socket_client(): Peer certificate CN=`*.test.com' did not match expected CN=`foo.bar.test.com' in %s on line %d Warning: stream_socket_client(): Failed to enable crypto in %s on line %d Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d bool(false)