Red Hat Bugzilla – Bug 106168
curl https fails to match subjectAltName server certificates
Last modified: 2007-04-18 12:58:06 EDT
Description of problem:
curl does not match HTTP over TLS server identity checks (as in RFC 2818)
Version-Release number of selected component (if applicable):
7.9.5 through to 7.10.6 (Rawhide)
Steps to Reproduce:
1. Connect to a server which does NOT have it's FQDN in the CN component
of the subject name of the SSL certificate; but whose FQDN IS in a DNS
subjectAltName component. Ensure that you are using --cacert or --capath
to force SSL certificate verification.
2. curl will exit, claiming that the server name does not match that in the
Failed connection and error report.
Successful connection and HTML download.
Patch to correct this behaviour (against 7.9.5-2) is attached
Created attachment 94912 [details]
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec)
Fixes problem. Code was lifted and translated from the OpenLDAP client
A similar patch has also been submitted to the curl maintenance site on
SourceForge, with a patch against 7.10.6
This code should also patch properly against all the 7.9.x series (ie, in Red
Hat 9), but I haven't tested it.
I've remerged the patch against 7.10.6. Aside from line # diffs and whitespace,
strequals() needed a curl_ prefix for the newer src. I traced through the code
once and briefly tested and had another SSL/OpenLDAP dev look at the code, but
this needs a look from another party as the code is security related.
One further note - one of the curl maintainers (Daniel Sternberg) asked if the
inet_aton and inet_pton functions could be replaced in the patch - since not all
platforms have them (given that they're of BSD 4.3 origin).
I don't think that this is an issue for Linux, which certainly does have them -
but any further patching to curl might want to see if the functionality could be
Created attachment 95022 [details]
Patch redone for 7.10.6
strequals() is now curl_strequals(). tabs removed from original. Original patch
author notes that the patch may need some modification to compile on non Linux
(ie BSD) systems.