Hacky work around, where on php < 5.6.0 where SubjectAltName is not
supported, if a request to commons.wikimedia.org fails, retry the
request but telling php fopen wrapper to treat it as if it came
from en.wikipedia.org for validation purposes, since as of
c02fab71422a that's what the common name of the cert will be.
In the ideal world, everyone would just have curl installed.
I know this is super hacky, but I'd really like instant commons to
work out of the box even without curl installed.
Note: I'm basing the php 5.6 part on documentation, I have not tested
this with a copy of that version of php.
Bug: T75199
Change-Id: Ibde59be61a5b3d7cd5397ba352dce9be11e1b06f
}
if ( $this->sslVerifyHost ) {
}
if ( $this->sslVerifyHost ) {
- $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+ // PHP 5.6.0 deprecates CN_match, in favour of peer_name which
+ // actually checks SubjectAltName properly.
+ if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
+ $options['ssl']['peer_name'] = $this->parsedUrl['host'];
+ } else {
+ $options['ssl']['CN_match'] = $this->parsedUrl['host'];
+ }
}
if ( is_dir( $this->caInfo ) ) {
}
if ( is_dir( $this->caInfo ) ) {
MediaWiki\restoreWarnings();
if ( !$fh ) {
MediaWiki\restoreWarnings();
if ( !$fh ) {
+ // HACK for instant commons.
+ // If we are contacting (commons|upload).wikimedia.org
+ // try again with CN_match for en.wikipedia.org
+ // as php does not handle SubjectAltName properly
+ // prior to "peer_name" option in php 5.6
+ if ( isset( $options['ssl']['CN_match'] )
+ && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org'
+ || $options['ssl']['CN_match'] === 'upload.wikimedia.org' )
+ ) {
+ $options['ssl']['CN_match'] = 'en.wikipedia.org';
+ $context = stream_context_create( $options );
+ continue;
+ }