Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mbedTLS backend should use CURLOPT_SSL_VERIFYHOST to control CN checking #3376

Closed
rosenqui opened this issue Dec 15, 2018 · 5 comments
Closed
Labels

Comments

@rosenqui
Copy link

operating system

All platforms for mbedTLS

curl/libcurl version

All versions

The certificate validation code for the mbedTLS backend should look at the CURLOPT_SSL_VERIFYHOST option via SSL_CONN_CONFIG(verifyhost) to control if CN checking is done as part of server certification validation.

As it stands now, it's impossible to validate the certificate but omit the hostname checks when using the mbedTLS backend. This is possible with other backends like OpenSSL.

https://github.com/curl/curl/blob/master/lib/vtls/mbedtls.c#L586

@bagder bagder added the TLS label Dec 17, 2018
bagder added a commit that referenced this issue Dec 17, 2018
Previously, VERIFYPEER would enable/disable all checks.

Fixes #3376
@bagder
Copy link
Member

bagder commented Dec 17, 2018

@rosenqui can you check if my fix works for you?

@rosenqui
Copy link
Author

I should have time to try it out later today.

Thanks for the quick fix!

@rosenqui
Copy link
Author

Fix looks good - I commented in #3382

@bagder bagder closed this as completed in f097669 Dec 17, 2018
@bagder bagder reopened this Dec 18, 2018
@rosenqui
Copy link
Author

This looks to be the simplest solution - same code as before with a check of verifyhost first.

  ret = mbedtls_ssl_get_verify_result(&BACKEND->ssl);

  if(!SSL_CONN_CONFIG(verifyhost))
    ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;   /* Ignore hostname errors if verifyhost is disabled */
  if(ret && SSL_CONN_CONFIG(verifypeer)) {
    if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
      failf(data, "Cert verify failed: BADCERT_EXPIRED");

    if(ret & MBEDTLS_X509_BADCERT_REVOKED) {
      failf(data, "Cert verify failed: BADCERT_REVOKED");
      return CURLE_SSL_CACERT;
    }

    if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");

    if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
      failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");

    return CURLE_PEER_FAILED_VERIFICATION;
  }

  peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl);

Turn off the MBEDTLS_X509_BADCERT_CN_MISMATCH error bit if verifyhost is disabled, but otherwise do the same as before. We don't want to fail if verifyhost is on and verifypeer is off since the latter is the master kill switch for validation.

bagder added a commit that referenced this issue Dec 19, 2018
@bagder
Copy link
Member

bagder commented Dec 19, 2018

Thanks, like #3390 ?

bagder added a commit that referenced this issue Dec 19, 2018
@bagder bagder closed this as completed in 0b9fadf Dec 20, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Mar 20, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

No branches or pull requests

2 participants