curl-users
[ curl-Bugs-445244 ] Added CN verifi from peer certificate
Date: Fri, 27 Jul 2001 10:15:42 -0700
Bugs item #445244, was opened at 2001-07-27 10:15
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=445244&group_id=976
Category: https
Group: new feature request
Status: Open
Resolution: None
Priority: 5
Submitted By: Patrick Bihan-Faou (pbf)
Assigned to: Daniel Stenberg (bagder)
Summary: Added CN verifi from peer certificate
Initial Comment:
This is also covering the issue identified in bug #
445234.
root_at_nitro# curl -V
curl 7.8 (i386--freebsd4.3) libcurl 7.8 (OpenSSL 0.9.6)
I have implemented a couple of memory leak fixes for
SSL (the peer certificate is not always fr
ee when the connection fails), and I added some code
to verify the peer host name as advertised in t
he certificate "common name" field. What is missing at
this time is a command line option to control
the peer CN checks (i.e. currently if the --cacert
option is used, strict verification of the host
name is done, otherwise only a warning is displayed).
Here is some output after the patch has been applied:
Test 1: host name don't match, strict verification
root_at_nitro# curl -v -3 --cacert good_ca.crt
https://192.168.0.1/xx >xx
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL
Server/CN=test.domain.com/Email=support_at_netzuno.com
curl: (51) SSL: certificate subject
name 'test.domain.com' does not match target host
name '192.168.0.1'
Test 2: loose checking of the hostname (only a warning
is displayed)
root@nitro# curl -v -3 https://192.168.0.1/xx
>xx * SSL
connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL
Server/CN=test.domain.com/Email=support_at_netzuno.com
* common name: test.domain.com (does not
match '192.168.0.1')
* issuer: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL CA/CN=Test SSL
CA/Email=support_at_netzuno.com
* Connected to 192.168.0.1 (192.168.0.1)
> GET /xx HTTP/1.1
User-Agent: curl/7.8 (i386--freebsd4.3) libcurl 7.8
(OpenSSL 0.9.6)
Host: 192.168.0.1
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*
% Total % Received % Xferd Average
Speed Time Curr.
Dload Upload
Total Current Left Speed
100 74432 100 74432 0 0 55100 0
0:00:01 0:00:01 0:00:00 35893
* Closing live connection (#0)
Test 3: incorrect CA certificate
root_at_nitro# curl -v -3 --cacert bad_ca.crt
https://test.domain.com/xx > yy
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL
Server/CN=test.domain.com/Email=support_at_netzuno.com
* common name: test.domain.com (matched)
* issuer: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL CA/CN=Test SSL
CA/Email=support_at_netzuno.com
* Closing live connection (#0)
curl: (51) SSL certificate verify result: 19
Test 4: good CA cert, same hostname
root_at_nitro# curl -v -3 --cacert good_ca.crt
https://test.domain.com/xx >xx
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL
Server/CN=test.domain.com/Email=support_at_netzuno.com
* common name: test.domain.com (matched)
* issuer: /C=CA/ST=Quebec/L=Montreal/O=netZuno
Technologies/OU=Test SSL CA/CN=Test SSL
CA/Email=support_at_netzuno.com
* Connected to test.domain.com (192.168.0.1)
> GET /xx HTTP/1.1
User-Agent: curl/7.8 (i386--freebsd4.3) libcurl 7.8
(OpenSSL 0.9.6)
Host: test.domain.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*
% Total % Received % Xferd Average
Speed Time Curr.
Dload Upload
Total Current Left Speed
100 74432 100 74432 0 0 127k 0
0:00:00 0:00:00 0:00:00 71787
* Closing live connection (#0)
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=445244&group_id=976
Received on 2001-07-27