curl-users
[ curl-Bugs-817147 ] curl does not check SSL subjectAltNames when matching certs
Date: Fri, 03 Oct 2003 06:23:10 -0700
Bugs item #817147, was opened at 2003-10-03 14:23
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=817147&group_id=976
Category: https
Group: new feature request
Status: Open
Resolution: None
Priority: 5
Submitted By: Neil Dunbar (ndunbar)
Assigned to: Daniel Stenberg (bagder)
Summary: curl does not check SSL subjectAltNames when matching certs
Initial Comment:
This has been raised before, but curl (all versions up
to 7.10.7) won't allow verified SSL connections to
hosts whose names are not in the CN component of their
subject name,
RFC 2818 states that the DNS subjectAltNames should
also be checked for containing the host name.
Since some services are replicated over multiple
machines (but addressed by a single alias), this causes
unwarranted failure modes in curl.
The attached patch steals the OpenLDAP subjectAltName
recognition code, and patches it into curl 7.10.6. Hope
it proves useful. I haven't tested it extensively, but
it seems to match our DNS subjectAltNames, and properly
craps out when you hit it with a certificate which has
no matching component.
Neil Dunbar
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=817147&group_id=976
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2003-10-03