106168 – curl https fails to match subjectAltName server certificates

Bug 106168 - curl https fails to match subjectAltName server certificates

Summary: curl https fails to match subjectAltName server certificates

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	curl
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Ivana Varekova
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-10-03 13:30 UTC by Neil Dunbar
Modified:	2007-04-18 16:58 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-01-09 10:28:29 UTC
Embargoed:

Attachments	(Terms of Use)
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec) (5.29 KB, patch) 2003-10-03 13:33 UTC, Neil Dunbar	no flags	Details \| Diff
Patch redone for 7.10.6 (6.28 KB, patch) 2003-10-08 16:25 UTC, Eido Inoue	no flags	Details \| Diff
Show Obsolete (1) View All

Description Neil Dunbar 2003-10-03 13:30:25 UTC

Description of problem:

curl does not match HTTP over TLS server identity checks (as in RFC 2818)

Version-Release number of selected component (if applicable):

7.9.5 through to 7.10.6 (Rawhide)

How reproducible:
Always

Steps to Reproduce:
1. Connect to a server which does NOT have it's FQDN in the CN component
   of the subject name of the SSL certificate; but whose FQDN IS in a DNS
   subjectAltName component. Ensure that you are using --cacert or --capath
   to force SSL certificate verification.
2. curl will exit, claiming that the server name does not match that in the
   certificate.
    
Actual results:

Failed connection and error report.

Expected results:

Successful connection and HTML download.

Additional info:

Patch to correct this behaviour (against 7.9.5-2) is attached

Comment 1 Neil Dunbar 2003-10-03 13:33:50 UTC

Created attachment 94912 [details]
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec)

Fixes problem. Code was lifted and translated from the OpenLDAP client
libraries.
A similar patch has also been submitted to the curl maintenance site on
SourceForge, with a patch against 7.10.6

This code should also patch properly against all the 7.9.x series (ie, in Red
Hat 9), but I haven't tested it.

Comment 2 Eido Inoue 2003-10-07 21:40:00 UTC

I've remerged the patch against 7.10.6. Aside from line # diffs and whitespace,
strequals() needed a curl_ prefix for the newer src. I traced through the code
once and briefly tested and had another SSL/OpenLDAP dev look at the code, but
this needs a look from another party as the code is security related.

Comment 3 Neil Dunbar 2003-10-08 08:35:31 UTC

One further note - one of the curl maintainers (Daniel Sternberg) asked if the
inet_aton and inet_pton functions could be replaced in the patch - since not all
platforms have them (given that they're of BSD 4.3 origin).

I don't think that this is an issue for Linux, which certainly does have them -
but any further patching to curl might want to see if the functionality could be
replicated.

Comment 4 Eido Inoue 2003-10-08 16:25:17 UTC

Created attachment 95022 [details]
Patch redone for 7.10.6

strequals() is now curl_strequals(). tabs removed from original. Original patch
author notes that the patch may need some modification to compile on non Linux
(ie BSD) systems.

Note You need to log in before you can comment on or make changes to this bug.