Bugs item #817147, was opened at 2003-10-03 14:23
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=817147&group_id=976

Category: https
Group: new feature request
Status: Open
Resolution: None
Priority: 5
Submitted By: Neil Dunbar (ndunbar)
Assigned to: Daniel Stenberg (bagder)
Summary: curl does not check SSL subjectAltNames when matching certs

Initial Comment:
This has been raised before, but curl (all versions up

to 7.10.7) won't allow verified SSL connections to

hosts whose names are not in the CN component of their

subject name,

RFC 2818 states that the DNS subjectAltNames should

also be checked for containing the host name.

Since some services are replicated over multiple

machines (but addressed by a single alias), this causes

unwarranted failure modes in curl.

The attached patch steals the OpenLDAP subjectAltName

recognition code, and patches it into curl 7.10.6. Hope

it proves useful. I haven't tested it extensively, but

it seems to match our DNS subjectAltNames, and properly

craps out when you hit it with a certificate which has

no matching component.

Neil Dunbar

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=817147&group_id=976

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2003-10-03