Bug 106168 - curl https fails to match subjectAltName server certificates
curl https fails to match subjectAltName server certificates
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: curl (Show other bugs)
7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-03 09:30 EDT by Neil Dunbar
Modified: 2007-04-18 12:58 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-09 05:28:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec) (5.29 KB, patch)
2003-10-03 09:33 EDT, Neil Dunbar
no flags Details | Diff
Patch redone for 7.10.6 (6.28 KB, patch)
2003-10-08 12:25 EDT, Eido Inoue
no flags Details | Diff

  None (edit)
Description Neil Dunbar 2003-10-03 09:30:25 EDT
Description of problem:

curl does not match HTTP over TLS server identity checks (as in RFC 2818)

Version-Release number of selected component (if applicable):

7.9.5 through to 7.10.6 (Rawhide)

How reproducible:
Always

Steps to Reproduce:
1. Connect to a server which does NOT have it's FQDN in the CN component
   of the subject name of the SSL certificate; but whose FQDN IS in a DNS
   subjectAltName component. Ensure that you are using --cacert or --capath
   to force SSL certificate verification.
2. curl will exit, claiming that the server name does not match that in the
   certificate.
    
Actual results:

Failed connection and error report.

Expected results:

Successful connection and HTML download.

Additional info:

Patch to correct this behaviour (against 7.9.5-2) is attached
Comment 1 Neil Dunbar 2003-10-03 09:33:50 EDT
Created attachment 94912 [details]
unified diff patch against RPM curl-7.9.5-2.rpm (should be Patch1 in spec)

Fixes problem. Code was lifted and translated from the OpenLDAP client
libraries.
A similar patch has also been submitted to the curl maintenance site on
SourceForge, with a patch against 7.10.6

This code should also patch properly against all the 7.9.x series (ie, in Red
Hat 9), but I haven't tested it.
Comment 2 Eido Inoue 2003-10-07 17:40:00 EDT
I've remerged the patch against 7.10.6. Aside from line # diffs and whitespace,
strequals() needed a curl_ prefix for the newer src. I traced through the code
once and briefly tested and had another SSL/OpenLDAP dev look at the code, but
this needs a look from another party as the code is security related.
Comment 3 Neil Dunbar 2003-10-08 04:35:31 EDT
One further note - one of the curl maintainers (Daniel Sternberg) asked if the
inet_aton and inet_pton functions could be replaced in the patch - since not all
platforms have them (given that they're of BSD 4.3 origin).

I don't think that this is an issue for Linux, which certainly does have them -
but any further patching to curl might want to see if the functionality could be
replicated.
Comment 4 Eido Inoue 2003-10-08 12:25:17 EDT
Created attachment 95022 [details]
Patch redone for 7.10.6

strequals() is now curl_strequals(). tabs removed from original. Original patch
author notes that the patch may need some modification to compile on non Linux
(ie BSD) systems.

Note You need to log in before you can comment on or make changes to this bug.