1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Impossible to disable verify_peer_name in SSL Untrusted Connection on PHP7

Discussion in 'Resolved Bug Reports' started by Jawsh, Apr 14, 2016.

  1. Jawsh

    Jawsh Formerly null0

    I'm setting up a remote Squid3 image proxy to protect against IP identification attacks on my server and users, and I've almost gotten it all sorted out, but I'm blocked at the last bend. PHP7 / XenForo 1.5.6 is blocking a 100% correct SSL response because of a common name mismatch.

    https://i.imgur.com/C98FBi7.jpg could not be fetched or is not a valid image. The specific error message was: stream_socket_enable_crypto(): Peer certificate CN=`*.imgur.com' did not match expected CN=`imageproxy'

    This is because of the directive verify_peer_name. Squid3 is set to do an SSL bump, but for some reason PHP is expecting the name of the host back, not the name of the target URL.

    The problem comes from Zend\Http\Client\Adapter\Proxy.php and appears to be something in the Framework, not XenForo, which makes the problem all the worse.

    This is my Squid3 config, but I received the same issue with Tinyproxy as well. It's very insecure at the moment because all I'm trying to do is get it set up.

    There's a very deceptive "sslproxy_cert_adapt setCommonName{'imageproxy'}" option, but I can find nothing on it outside of its documentation from Google, and in my tests it does not fix the issue nor alter the cert in any way.

    # Recommended minimum configuration:
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src     # RFC1918 possible internal network
    acl localnet src  # RFC1918 possible internal network
    acl localnet src # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 403         # TCP
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl Safe_ports port 1080        # SOCKS
    acl CONNECT method CONNECT
    always_direct allow all
    sslproxy_cert_error allow all
    sslproxy_cert_adapt setCommonName{'imageproxy'} #This doesn't work ...
    ssl_bump allow all
    ssl_bump bump all
    ssl_bump splice all
    # Recommended minimum Access Permission configuration:
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    # http_access deny to_localhost
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    http_access allow all
    # And finally deny all other access to this proxy
    #http_access deny all
    # Squid normally listens to port 3128
    http_port 3128
    # No caching.
    cache deny all
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/cache/squid 100 16 256
    # Leave coredumps in the first cache dir
    coredump_dir /var/cache/squid
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    Last edited: Apr 14, 2016
  2. Mike

    Mike XenForo Developer Staff Member

    When looking into this, there might be a bit of a bug in the ZF proxy adapter, though I'm not 100% sure if the change will do anything here. The change is to replace:
    "Host: " . $this->config['proxy_host'] . "\r\n";
    "Host: " . $host . "\r\n";
    Does that change anything?

    Otherwise, you might need a different change in that file. This isn't one I've tested, but I think if you find this line:
    $modes = array(
    And add this before it:
    stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
    It may allow this to work. Does that change anything?
    MattW and eva2000 like this.
  3. Jawsh

    Jawsh Formerly null0

    This did it. Works flawlessly now.
  4. eva2000

    eva2000 Well-Known Member

    confirmed I hit this bug in 1.5.7 test install as well and this workaround fixed it :)
  5. MattW

    MattW Well-Known Member

    Just applied this myself to get around the same bug as @eva2000
    eva2000 likes this.
  6. eva2000

    eva2000 Well-Known Member

    seems on xf 1.5.8 + php 5.6.22 it's not working again even though you have
            if (PHP_VERSION_ID >= 56000)
    but this works
            //if (PHP_VERSION_ID >= 56000)
                //stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);

            // If all is good, switch socket to secure mode. We have to fall back
            // through the different modes
    $modes = array(
    Last edited: May 26, 2016
  7. Mike

    Mike XenForo Developer Staff Member

    There's a typo -- 56000 should be 50600. I'll move this back to an open bug for now.
    MattW and eva2000 like this.
  8. eva2000

    eva2000 Well-Known Member

  9. Mike

    Mike XenForo Developer Staff Member

    I've gone ahead and changed that now for the next release. (If the 56000 -> 50600 change doesn't work for anyone, please let me know.)
    eva2000 likes this.
  10. eva2000

    eva2000 Well-Known Member

    thanks mike i changed that to 50600 on my 1.5.8 xf install strange now though imgurl.com based images are getting broken for http only but work for https - example posted at https://community.centminmod.com/posts/31629/

    IMG embed
    when untrustedHttpClient is set in xf config.php to hide origin IP as behind DDOS mitigation proxy

    strange is test image proxy in admin.php works for both http and https too

    worked fine on xf 1.5.7

    edit: seems it working now, seems flaky but both http and https images embed now
    Last edited: May 31, 2016

Share This Page