Description of problem: curl does not match HTTP over TLS server identity checks (as in RFC 2818) Version-Release number of selected component (if applicable): 7.9.5 through to 7.10.6 (Rawhide) How reproducible: Always Steps to Reproduce: 1. Connect to a server which does NOT have it's FQDN in the CN component of the subject name of the SSL certificate; but whose FQDN IS in a DNS subjectAltName component. Ensure that you are using --cacert or --capath to force SSL certificate verification. 2. curl will exit, claiming that the server name does not match that in the certificate. Actual results: Failed connection and error report. Expected results: Successful connection and HTML download. Additional info: Patch to correct this behaviour (against 7.9.5-2) is attached
Created attachment 94912 [details] unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec) Fixes problem. Code was lifted and translated from the OpenLDAP client libraries. A similar patch has also been submitted to the curl maintenance site on SourceForge, with a patch against 7.10.6 This code should also patch properly against all the 7.9.x series (ie, in Red Hat 9), but I haven't tested it.
I've remerged the patch against 7.10.6. Aside from line # diffs and whitespace, strequals() needed a curl_ prefix for the newer src. I traced through the code once and briefly tested and had another SSL/OpenLDAP dev look at the code, but this needs a look from another party as the code is security related.
One further note - one of the curl maintainers (Daniel Sternberg) asked if the inet_aton and inet_pton functions could be replaced in the patch - since not all platforms have them (given that they're of BSD 4.3 origin). I don't think that this is an issue for Linux, which certainly does have them - but any further patching to curl might want to see if the functionality could be replicated.
Created attachment 95022 [details] Patch redone for 7.10.6 strequals() is now curl_strequals(). tabs removed from original. Original patch author notes that the patch may need some modification to compile on non Linux (ie BSD) systems.