Utilities::fetch(): Workaround for SSL SNI extension not being correctly set.

See: https://bugs.php.net/bug.php?id=63519 Thanks to Marco Ferrante for implementing this workaround! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3205 44740490-163a-0410-bde0-09ae8108e29a

Utilities::fetch(): Workaround for SSL SNI extension not being correctly set.
7dda96e6 · Olav Morken · 8aa6e3f7 · 7dda96e6
Commit 7dda96e6 authored 12 years ago by Olav Morken
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -2171,6 +2171,30 @@ class SimpleSAML_Utilities {
 			if (!isset($context['http']['request_fulluri'])) {
 				$context['http']['request_fulluri'] = TRUE;
 			}
+			// If the remote endpoint over HTTPS uses the SNI extension
+			// (Server Name Indication RFC 4366), the proxy could
+			// introduce a mismatch between the names in the
+			// Host: HTTP header and the SNI_server_name in TLS
+			// negotiation (thanks to Cristiano Valli @ GARR-IDEM
+			// to have pointed this problem).
+			// See: https://bugs.php.net/bug.php?id=63519
+			// These controls will force the same value for both fields.
+			// Marco Ferrante (marco@csita.unige.it), Nov 2012
+			if (preg_match('#^https#i', $path)
+				&& defined('OPENSSL_TLSEXT_SERVER_NAME')
+				&& OPENSSL_TLSEXT_SERVER_NAME) {
+				// Extract the hostname
+				$hostname = parse_url($path, PHP_URL_HOST);
+				if (!empty($hostname)) {
+					$context['ssl'] = array(
+						'SNI_server_name' => $hostname,
+						'SNI_enabled' => TRUE,
+						);
+				}
+				else {
+					SimpleSAML_Logger::warning('Invalid URL format or local URL used through a proxy');
+				}
+			}
 		}

 		$context = stream_context_create($context);