A method to bypass SSL certificate name vs. host name verification via NUL ('\0') character embedded in X509 certificate's CommonName or subjectAltName was presented at Black Hat USA 2009: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike This flaw also affects curl built with OpenSSL crypto library (problem can also affect curl using unpatched versions of NSS or GnuTLS libraries, though updating those libraries to patched versions is sufficient to protect curl versions linked against those libraries). Upstream advisory: http://curl.haxx.se/docs/adv_20090812.txt Upstream patch: http://cool.haxx.se/cvs.cgi/curl/lib/ssluse.c.diff?r1=1.230&r2=1.235 (minus sni changes from r1.232) Backported patches for various curl versions: http://curl.haxx.se/CVE-2009-2417/ Upstream bug report: http://curl.haxx.se/bug/view.cgi?id=2829955 curl as shipped with Red Hat Enterprise Linux 3, 4 and 5 uses OpenSSL and is affected by this problem (version in EL3 does not seem to support subjectAltName). curl versions in Fedora are using NSS and are not affected by this problem.
Fully public now via: http://curl.haxx.se/docs/adv_20090812.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1209 https://rhn.redhat.com/errata/RHSA-2009-1209.html