curl-users
Re: for wildcard certificates, different platforms behaving differently
Date: Wed, 11 May 2016 23:46:45 +0200 (CEST)
On Wed, 11 May 2016, Rick Berge wrote:
CC'ing Nick on this topic. First mail here:
https://curl.haxx.se/mail/archive-2016-05/0034.html
> On a 10.11 Mac with version "7.43.0", ssl_version "SecureTransport" it just
> quietly, successfully connects. Since this is my primary environment, I
> didn't even realize there was a certificate problem.
Is this using Apple's version of curl? If so, I would suggest you report this
as bug to Apple too (I think it could help to get tranction from their end).
It could even be considered a possible security problem.
A later RFC to refer to on how this is wrong is RFC 6125 section 6.4.3:
2. If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
This said, I can't yet rule out that the bug isn't somewhere in our use of the
SecureTransport APIs...
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-users FAQ: https://curl.haxx.se/docs/faq.html Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2016-05-11