cURL / Mailing Lists / curl-users / Single Mail

curl-users

Strange behaviour on upgrading openssl

From: Alex Bligh <alex_at_alex.org.uk>
Date: Mon, 4 Mar 2013 13:54:59 +0000

I am seeing strange behaviour with curl when upgrading libssl (openssl)
acrosss a minor security release. I *think* this is an open ssl bug
but wanted to check here.

If I upgrade libssl1.0.0 on Ubuntu precise from version
1.0.1-4ubuntu5.5 to version 1.0.1-4ubuntu5.7 I see failure of negotiation
by old clients with self signed certs when using the -k flag in curl.

I am running apache2 on servers with self-signed certs (I enclose one
such below). Before upgrade, I can do a 'curl -k' (insecure) and connect
successfully whether or not the CN in the self-signed certificate matches
the CN in the URL, and irrespective of the version of libssl running on
the client (for this test I am using an IP address and a domain name
mapping to that IP address).

Certs are generated with
  openssl genrsa -out foo.key 1024
  openssl req -new -key foo.key foo.csr -subj "/C=XX/ST=Test/L=Test/O=Test/OU=Test/CN=${ENDPOINT}"
  openssl x509 -req -days 36500 -in foo.csr -signkey foo.key -out foo.crt

After the upgrade, all works fine from the host itself (i.e. curl to the IP address
in the CN, or curl to a DNS name pointing to it but not in the CN), but connection
from older clients report:

Ximines:~ amb$ curl -vvvvvv -k "https://cp.dev2.flexiant.net:4443/?wsdl" ; echo ""
* About to connect() to cp.dev2.flexiant.net port 4443 (#0)
* Trying 10.20.0.2... connected
* Connected to cp.dev2.flexiant.net (10.20.0.2) port 4443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
* Closing connection #0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

whereas

$ curl -k "https://10.20.0.2:4443/?wsdl"

works fine

This error is ONLY produced when connecting to a URL not matching the CN. If I
connect to a URL that does match the CN it works fine (presumably it bails out
earlier).

If I force version 3 negotiation with the -3 option, it works fine.

As the version of curl has not changed, I suspect libssl, though it's possible curl
is not checking for all error conditions - i.e. the new version of libssl is returning
a different error code when the CNs do not match, and curl -k is not ignoring that
error code. However, note that it's the upgrade of the SERVER libssl which causes
the problems unless you upgrade the client too.

I've tried this on:

curl 7.21.3 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15

and

curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8r zlib/1.2.3

with the same result.

Any ideas?

In the meantime I have reported:
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1144408

Alex

Self-signed cert that errors (private key is worthless so included too):

-----BEGIN CERTIFICATE-----
MIICMzCCAZwCCQCX1VMZB/s5ozANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJY
WDENMAsGA1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDEN
MAsGA1UECwwEVGVzdDESMBAGA1UEAwwJMTAuMjAuMC4yMCAXDTEyMTEwMjExNTIz
N1oYDzIxMTIxMDA5MTE1MjM3WjBdMQswCQYDVQQGEwJYWDENMAsGA1UECAwEVGVz
dDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDES
MBAGA1UEAwwJMTAuMjAuMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1
1b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88mZmRCLuw9eI9c3Ho/
2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8+3wOjw848FxJ+RZ1
H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAArf2LS6G3Mh21qrR0UiAc1ekFw3JQvjRG8MSl+nCX3eHjBk1PDvMYs0
Hfh6HVRCBcleQn7xMHxTXw7wNyaoFeI4hl+GYHwzJONcVVSq+1wfIuzPC0YY6uPi
jUOSgUdnWvbZje0W4VM3/437793wPtP+fUVwEAAOGT70tC65R3CI
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC11b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88m
ZmRCLuw9eI9c3Ho/2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8
+3wOjw848FxJ+RZ1H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQAB
AoGAJgWzuL3Tsav4sSjCIR23CUC/68/o8NSTQpDO4Xkz3t/gw5hL8LOoc05sh84V
7E0OIxu0tJk6fkKOmNB2wcoqUAbcFnyItvi76EirQ2nu7x7zBhVNhJuYBGvTegG9
ByN7+arc+jvRq1Y36c999SN0wYEZpMdIKKOLBO2RgYnmQ+ECQQDoKVd6aH3fOlAC
ufTLH9duOILjeshH+N/Zuedq1eSA7tBTl3pdbHBbtGmim78brjelhqMn1GWqF3Y1
qWgyIq3jAkEAyIGAEb8EUGT/qOfMdvH52PvQGfMn3ZHT7FTC2m2ScV8kJb6UgrCi
mw6ZYDgSbMhm6xA7ow3wxORq4+s9ChEJfwJASEtXak7Po4vNDoxJplcsBq6iU6QQ
ahkd2/cAEUy580xqox0whZcXBfeQTYqiYERIH8tlUynY3rafoOY4BCS4cQJAOcSl
43cHhSo0RrPSQwrgk1Wp1XArMjlLt7GMGmarZKKmxYEtRKIjl00Tf5doJ5Nto5gf
tpDTp8avzU7/XSEffQJBALupHWw2N+OZd1k2XVVp2AKaL1qRzna5xl6SfP9rIhme
LdZdCMkt4nSKJ1f0HGdIYnbUXm8zeffSnOlWwaeCLRg=
-----END RSA PRIVATE KEY-----

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-04