Incomplete validation of IP Address fields in subjectAltNames

[lucasnetau]

Description

Peer verification [ext/openssl/xp_ssl.c -> php_openssl_matches_san_list()] via an IP address in the SAN list is incomplete

• IPv4 Addresses are validated on all IP ranges including including reserve IP addresses which is deprecated
• IPv6 Addresses validation is not implemented at all with the follow comment

No, we aren't bothering to check IPv6 addresses. Why?
Because IP SAN names are officially deprecated and are
not allowed by CAs starting in 2015. Deal with it.

IPv6 addresses not in reserved IP range can be included in SAN lists per https://www.digicert.com/kb/advisories/internal-names.htm and is used by Google and CloudFlare for their DNS over HTTPS services

Connecting to a HTTPS server via IPv6 is useful for DNS over HTTPS clients, not verifying peer removes the security gained.

The following code:

<?php

$dns = '2001:4860:4860::8888'; //dns.google IPv6

$context = stream_context_create();
stream_context_set_option($context, 'ssl', 'verify_host', true);
stream_context_set_option($context, 'ssl', 'verify_peer_name', true);
stream_context_set_option($context, 'ssl', 'SNI_server_name', $dns);
stream_context_set_option($context, 'ssl', 'peer_name', $dns);

$socket = stream_socket_client("tls://[$dns]:443", $errno, $errstr, 5, STREAM_CLIENT_CONNECT, $context);
if($socket == FALSE)
{
    echo "error: $errstr ($errno)\n";
    exit(1);
}

echo 'connected';

Resulted in this output:

Warning: stream_socket_client(): Peer certificate CN=`dns.google' did not match expected CN=`2001:4860:4860:0000:0000:0000:0000:8888'
PHP Warning:  stream_socket_client(): Failed to enable crypto 

But I expected this output instead:

connected

PHP Version

PHP 8.1.9

Operating System

No response