curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Curl TLS verification omits hostname

From: Daniel Stenberg via curl-users <>
Date: Wed, 17 Jun 2020 23:28:42 +0200 (CEST)

On Wed, 17 Jun 2020, Timothe Litt via curl-users wrote:

> cURL does not appear to be verifying that the hostname (subject/SAN) in a
> server certificate matches the requested host.  It should.

It should yes, and it does. Without that, TLS is basically insecure.

> In the following, the host is misconfigured (and may be fixed by the time
> you see this).

Yes, it works for me.

> Looking at verbose output: cURL is verifying that the certificate has a
> trust chain to the root, but is not matching the requested hostname to the
> certificate.  It might be comparing the CNAME target to the certificate.

My curl says: 'subjectAltName: host "" matched cert's
""' for that particular URL (both my debian 7.68.0 and
my dev version 7.71.0-DEV).

No it doesn't. CNAME is a DNS record, it has nothing to do with what curl does
for certificates and verifying the name fields in it.

Since I cannot reproduce I also cannot understand what you saw. I will however
guess that there were some temporary glitches in that server or something.

If you can show a server with a cert where the name matching fails
reproducible, please point to one.

The name verifction is done immediately prior to the "issuer" verbose output
and its curious that you don't have any output about it! If you build your
own, you can set a break-point in lib/vtls/openssl.c:verifyhost() and see what
it does...

  / | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features

Received on 2020-06-17