• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Impossible to disable verify_peer_name in SSL Untrusted Connection on PHP7

Jawsh

Formerly null0
#1
I'm setting up a remote Squid3 image proxy to protect against IP identification attacks on my server and users, and I've almost gotten it all sorted out, but I'm blocked at the last bend. PHP7 / XenForo 1.5.6 is blocking a 100% correct SSL response because of a common name mismatch.

https://i.imgur.com/C98FBi7.jpg could not be fetched or is not a valid image. The specific error message was: stream_socket_enable_crypto(): Peer certificate CN=`*.imgur.com' did not match expected CN=`imageproxy'

This is because of the directive verify_peer_name. Squid3 is set to do an SSL bump, but for some reason PHP is expecting the name of the host back, not the name of the target URL.

The problem comes from Zend\Http\Client\Adapter\Proxy.php and appears to be something in the Framework, not XenForo, which makes the problem all the worse.


This is my Squid3 config, but I received the same issue with Tinyproxy as well. It's very insecure at the moment because all I'm trying to do is get it set up.

There's a very deceptive "sslproxy_cert_adapt setCommonName{'imageproxy'}" option, but I can find nothing on it outside of its documentation from Google, and in my tests it does not fix the issue nor alter the cert in any way.

Code:
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 403         # TCP
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1080        # SOCKS
acl CONNECT method CONNECT

always_direct allow all

sslproxy_cert_error allow all
sslproxy_cert_adapt setCommonName{'imageproxy'} #This doesn't work ...

ssl_bump allow all
ssl_bump bump all
ssl_bump splice all

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
# http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow all

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 3128

# No caching.
cache deny all

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
 
Last edited:

Mike

XenForo developer
Staff member
#2
When looking into this, there might be a bit of a bug in the ZF proxy adapter, though I'm not 100% sure if the change will do anything here. The change is to replace:
Code:
"Host: " . $this->config['proxy_host'] . "\r\n";
with:
Code:
"Host: " . $host . "\r\n";
Does that change anything?

Otherwise, you might need a different change in that file. This isn't one I've tested, but I think if you find this line:
Code:
$modes = array(
And add this before it:
Code:
stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
It may allow this to work. Does that change anything?
 

eva2000

Well-known member
#4
Otherwise, you might need a different change in that file. This isn't one I've tested, but I think if you find this line:
Code:
$modes = array(
And add this before it:
Code:
stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
It may allow this to work. Does that change anything?
confirmed I hit this bug in 1.5.7 test install as well and this workaround fixed it :)
 

MattW

Well-known member
#5
Otherwise, you might need a different change in that file. This isn't one I've tested, but I think if you find this line:
Code:
$modes = array(
And add this before it:
Code:
stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
It may allow this to work. Does that change anything?
Just applied this myself to get around the same bug as @eva2000
 

eva2000

Well-known member
#6
When looking into this, there might be a bit of a bug in the ZF proxy adapter, though I'm not 100% sure if the change will do anything here. The change is to replace:
Code:
"Host: " . $this->config['proxy_host'] . "\r\n";
with:
Code:
"Host: " . $host . "\r\n";
Does that change anything?

Otherwise, you might need a different change in that file. This isn't one I've tested, but I think if you find this line:
Code:
$modes = array(
And add this before it:
Code:
stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
It may allow this to work. Does that change anything?
seems on xf 1.5.8 + php 5.6.22 it's not working again even though you have
PHP:
        if (PHP_VERSION_ID >= 56000)
        {
            stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
        }
but this works
PHP:
        //if (PHP_VERSION_ID >= 56000)
        //{
            //stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
        //}

        // If all is good, switch socket to secure mode. We have to fall back
        // through the different modes
        stream_context_set_option($this->socket, 'ssl', 'peer_name', $host);
        $modes = array(
            STREAM_CRYPTO_METHOD_TLS_CLIENT,
            STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
            STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
            STREAM_CRYPTO_METHOD_SSLv2_CLIENT
        );
 
Last edited:

Mike

XenForo developer
Staff member
#9
I've gone ahead and changed that now for the next release. (If the 56000 -> 50600 change doesn't work for anyone, please let me know.)
 

eva2000

Well-known member
#10
thanks mike i changed that to 50600 on my 1.5.8 xf install strange now though imgurl.com based images are getting broken for http only but work for https - example posted at https://community.centminmod.com/posts/31629/

IMG embed
when untrustedHttpClient is set in xf config.php to hide origin IP as behind DDOS mitigation proxy

strange is test image proxy in admin.php works for both http and https too

worked fine on xf 1.5.7

edit: seems it working now, seems flaky but both http and https images embed now
 
Last edited: