curl-users
Re: curl, google and ssl
Date: Wed, 7 Sep 2011 10:43:12 -0700
On Wed, Sep 07, 2011 at 04:27:44PM +0200, Christoph Ostarek wrote:
> I've a question about https://google.de and curl+ssl.
> # curl https://google.de
> loads without any problems or certificate warnings, but
> # openssl s_client -connect google.de:443
> has the following CommonName in its subject:
> "www.google.com".
> Why doesn't curl show up any warning about this?
> ("www.google.com" is not "google.de")
Probably because curl uses the new SNI feature of TLS to specify the correct
host name (google.de), so the Google server will return a different
certificate for this virtually-hosted server:
$ curl -v https://google.de
* About to connect() to google.de port 443 (#0)
* Trying 74.125.232.52... connected
* Connected to google.de (74.125.232.52) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.de
* start date: 2011-08-12 04:02:16 GMT
* expire date: 2012-08-12 04:12:16 GMT
* subjectAltName: google.de matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority
* SSL certificate verify ok.
Note that the certificate has a the different CN in this case.
>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-09-07