In order to circumvent a bug in ancient versions of openssl e.g. 0.9.6b
here a slightly modified version of the patch to ssluse.c that I had
send this morning.

*** curl-7.12.0-20040517mod/lib/ssluse.c Mon May 17 19:11:13 2004
--- curl-7.12.0-20040517/lib/ssluse.c Thu May 13 17:19:02 2004
***************
*** 872,905 ****
   
    if(matched)
      /* an alternative name matched the server hostname */
! infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
    else {
! /* we have to look to the last occurence of a commonName in the
! distinguished one to get the most significant one. */
! int j,i=-1 ;
!
! /* The following is done because of a bug in 0.9.6b */
!
! unsigned char * nulstr = "";
! unsigned char * peer_CN = nulstr;
!
! X509_NAME *name = X509_get_subject_name(server_cert) ;
! if (name)
! while ((j=X509_NAME_get_index_by_NID(name,NID_commonName,i))>=0)
! i=j;
!
! /* we have the name entry and we will now convert this to a string
! that we can use for comparison. Doing this we support BMPstring,
! UTF8 etc. */
!
! if (i>=0) {
! j = ASN1_STRING_to_UTF8(&peer_CN,X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i))) ;
! }
!
! if (peer_CN == nulstr)
! peer_CN = NULL;
!
! if (!peer_CN) {
        if(data->set.ssl.verifyhost > 1) {
          failf(data,
                "SSL: unable to obtain common name from peer certificate");
--- 872,884 ----
   
    if(matched)
      /* an alternative name matched the server hostname */
! infof(data, "\t subjectAltName: %s matched\n", conn->host.name);
    else {
! bool obtain=FALSE;
! if(X509_NAME_get_text_by_NID(X509_get_subject_name(server_cert),
! NID_commonName,
! peer_CN,
! sizeof(peer_CN)) < 0) {
        if(data->set.ssl.verifyhost > 1) {
          failf(data,
                "SSL: unable to obtain common name from peer certificate");
***************
*** 910,931 ****
             output a note about the situation */
          infof(data, "\t common name: WARNING couldn't obtain\n");
        }
! } else if(!cert_hostcheck(peer_CN, conn->host.name)) {
! if(data->set.ssl.verifyhost > 1) {
! failf(data, "SSL: certificate subject name '%s' does not match "
! "target host name '%s'", peer_CN, conn->host.dispname);
! OPENSSL_free(peer_CN);
! return CURLE_SSL_PEER_CERTIFICATE ;
        }
        else
! infof(data, "\t common name: %s (does not match '%s')\n",
! peer_CN, conn->host.dispname);
! }
! else {
! infof(data, "\t common name: %s (matched)\n", peer_CN);
! OPENSSL_free(peer_CN);
      }
! }
    return CURLE_OK;
  }
  #endif
--- 889,914 ----
             output a note about the situation */
          infof(data, "\t common name: WARNING couldn't obtain\n");
        }
! }
! else
! obtain = TRUE;
!
! if(obtain) {
! if(!cert_hostcheck(peer_CN, conn->host.name)) {
! if(data->set.ssl.verifyhost > 1) {
! failf(data, "SSL: certificate subject name '%s' does not match "
! "target host name '%s'", peer_CN, conn->host.name);
! return CURLE_SSL_PEER_CERTIFICATE;
! }
! else
! infof(data, "\t common name: %s (does not match '%s')\n",
! peer_CN, conn->host.name);
        }
        else
! infof(data, "\t common name: %s (matched)\n", peer_CN);
      }
! }
!
    return CURLE_OK;
  }
  #endif
Received on 2004-05-17