Bug 106168 - curl https fails to match subjectAltName server certificates
Summary: curl https fails to match subjectAltName server certificates
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: curl (Show other bugs)
(Show other bugs)
Version: 7.3
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Ivana Varekova
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-03 13:30 UTC by Neil Dunbar
Modified: 2007-04-18 16:58 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-09 10:28:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec) (5.29 KB, patch)
2003-10-03 13:33 UTC, Neil Dunbar
no flags Details | Diff
Patch redone for 7.10.6 (6.28 KB, patch)
2003-10-08 16:25 UTC, Eido Inoue
no flags Details | Diff

Description Neil Dunbar 2003-10-03 13:30:25 UTC
Description of problem:

curl does not match HTTP over TLS server identity checks (as in RFC 2818)

Version-Release number of selected component (if applicable):

7.9.5 through to 7.10.6 (Rawhide)

How reproducible:
Always

Steps to Reproduce:
1. Connect to a server which does NOT have it's FQDN in the CN component
   of the subject name of the SSL certificate; but whose FQDN IS in a DNS
   subjectAltName component. Ensure that you are using --cacert or --capath
   to force SSL certificate verification.
2. curl will exit, claiming that the server name does not match that in the
   certificate.
    
Actual results:

Failed connection and error report.

Expected results:

Successful connection and HTML download.

Additional info:

Patch to correct this behaviour (against 7.9.5-2) is attached

Comment 1 Neil Dunbar 2003-10-03 13:33:50 UTC
Created attachment 94912 [details]
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec)

Fixes problem. Code was lifted and translated from the OpenLDAP client
libraries.
A similar patch has also been submitted to the curl maintenance site on
SourceForge, with a patch against 7.10.6

This code should also patch properly against all the 7.9.x series (ie, in Red
Hat 9), but I haven't tested it.

Comment 2 Eido Inoue 2003-10-07 21:40:00 UTC
I've remerged the patch against 7.10.6. Aside from line # diffs and whitespace,
strequals() needed a curl_ prefix for the newer src. I traced through the code
once and briefly tested and had another SSL/OpenLDAP dev look at the code, but
this needs a look from another party as the code is security related.

Comment 3 Neil Dunbar 2003-10-08 08:35:31 UTC
One further note - one of the curl maintainers (Daniel Sternberg) asked if the
inet_aton and inet_pton functions could be replaced in the patch - since not all
platforms have them (given that they're of BSD 4.3 origin).

I don't think that this is an issue for Linux, which certainly does have them -
but any further patching to curl might want to see if the functionality could be
replicated.

Comment 4 Eido Inoue 2003-10-08 16:25:17 UTC
Created attachment 95022 [details]
Patch redone for 7.10.6

strequals() is now curl_strequals(). tabs removed from original. Original patch
author notes that the patch may need some modification to compile on non Linux
(ie BSD) systems.


Note You need to log in before you can comment on or make changes to this bug.