Remove dangerous CN_match fallback
parent
80c96a2c01
commit
449f68deae
|
@ -35,7 +35,6 @@ class RemoteFilesystem
|
||||||
private $lastProgress;
|
private $lastProgress;
|
||||||
private $options = array();
|
private $options = array();
|
||||||
private $disableTls = false;
|
private $disableTls = false;
|
||||||
private $retryTls = true;
|
|
||||||
private $retryAuthFailure;
|
private $retryAuthFailure;
|
||||||
private $lastHeaders;
|
private $lastHeaders;
|
||||||
private $storeAuth;
|
private $storeAuth;
|
||||||
|
@ -317,20 +316,6 @@ class RemoteFilesystem
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the failure was due to a Common Name mismatch with remote SSL cert and retry once (excl normal retry)
|
|
||||||
if (
|
|
||||||
false === $result
|
|
||||||
&& $this->retryTls === true
|
|
||||||
&& preg_match('{did not match expected CN}i', $errorMessage)
|
|
||||||
&& preg_match("{Peer certificate CN=`(.*)' did not match}i", $errorMessage, $matches)
|
|
||||||
) {
|
|
||||||
$this->retryTls = false;
|
|
||||||
$expectedCommonName = $matches[1];
|
|
||||||
$this->io->write(" <warning>Retrying download from ".$originUrl." with SSL Cert Common Name (CN): ".$expectedCommonName."</warning>");
|
|
||||||
|
|
||||||
return $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress, $expectedCommonName);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($this->retry) {
|
if ($this->retry) {
|
||||||
$this->retry = false;
|
$this->retry = false;
|
||||||
|
|
||||||
|
@ -487,7 +472,7 @@ class RemoteFilesystem
|
||||||
throw new TransportException('RETRY');
|
throw new TransportException('RETRY');
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getOptionsForUrl($originUrl, $additionalOptions, $validCommonName = '')
|
protected function getOptionsForUrl($originUrl, $additionalOptions)
|
||||||
{
|
{
|
||||||
$tlsOptions = array();
|
$tlsOptions = array();
|
||||||
|
|
||||||
|
@ -499,18 +484,6 @@ class RemoteFilesystem
|
||||||
$host = parse_url($this->fileUrl, PHP_URL_HOST);
|
$host = parse_url($this->fileUrl, PHP_URL_HOST);
|
||||||
}
|
}
|
||||||
|
|
||||||
// This is sheer painful, but hopefully it'll be a footnote once SAN support
|
|
||||||
// reaches PHP 5.4 and 5.5...
|
|
||||||
// Side-effect: We're betting on the CN being either a wildcard or www, e.g. *.github.com or www.example.com.
|
|
||||||
if (strlen($validCommonName) > 0) {
|
|
||||||
if (
|
|
||||||
!preg_match('{'.$host.'$}i', $validCommonName)
|
|
||||||
|| (count(explode('.', $validCommonName)) - count(explode('.', $host))) > 1
|
|
||||||
) {
|
|
||||||
throw new TransportException('Unable to read or match the Common Name (CN) from the remote SSL certificate.');
|
|
||||||
}
|
|
||||||
$host = $validCommonName;
|
|
||||||
}
|
|
||||||
$tlsOptions['ssl']['CN_match'] = $host;
|
$tlsOptions['ssl']['CN_match'] = $host;
|
||||||
$tlsOptions['ssl']['SNI_server_name'] = $host;
|
$tlsOptions['ssl']['SNI_server_name'] = $host;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue