New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl+quiche with HTTP/3 silently ignores certificate problems #8173
Comments
@tatsuhiro-t can you point out which ngtcp2 functions I should look closer on to fix this? @ghedo can you point out which quiche functions I should look closer on to fix this? |
Usual OpenSSL SSL_CTX or SSL setup is required here for ngtcp2 build. Lines 3181 to 3182 in 2c1dbc1
|
Thanks @tatsuhiro-t, that seems to fix the verification of the signatures for the OpenSSL branch. But I then also need to verify the CN and subjectAltName fields like we do with Line 3863 in 2c1dbc1
I figure that needs to be done after the handshake is completed so that we can get the peer cert using the API. |
Half the check (missing the name check) is done for ngtcp2+quictls in #8178 |
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. The name check now uses a function from lib/vtls/openssl.c which will need attention for when TLS is not done by OpenSSL or is disabled while QUIC is enabled. Possibly the servercert() function in openssl.c should be adjusted to be able to use for both regular TLS and QUIC. Ref: #8173
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. The name check now uses a function from lib/vtls/openssl.c which will need attention for when TLS is not done by OpenSSL or is disabled while QUIC is enabled. Possibly the servercert() function in openssl.c should be adjusted to be able to use for both regular TLS and QUIC. Ref: #8173
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. The name check now uses a function from lib/vtls/openssl.c which will need attention for when TLS is not done by OpenSSL or is disabled while QUIC is enabled. Possibly the servercert() function in openssl.c should be adjusted to be able to use for both regular TLS and QUIC. Ref: #8173 Closes #8178
This problem is now fixed in master (8fbd6fe) for the ngtcp2 backend. |
I did this
./curl --http3 https://localhost:9443/8GB -o /dev/null
I expected the following
It should have failed and required
-k
or a suitable--cacert
line.curl/libcurl version
curl from current git. It works similarly using either/both HTTP/3 backends.
operating system
Tested on Linux but the code is platform independent.
The text was updated successfully, but these errors were encountered: