Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Curl TLS verification omits hostname

From: Daniel Stenberg via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 17 Jun 2020 23:28:42 +0200 (CEST)

On Wed, 17 Jun 2020, Timothe Litt via curl-users wrote:

> cURL does not appear to be verifying that the hostname (subject/SAN) in a
> server certificate matches the requested host.  It should.

It should yes, and it does. Without that, TLS is basically insecure.

> In the following, the host is misconfigured (and may be fixed by the time
> you see this).

Yes, it works for me.

> Looking at verbose output: cURL is verifying that the certificate has a
> trust chain to the root, but is not matching the requested hostname to the
> certificate.  It might be comparing the CNAME target to the certificate.

My curl says: 'subjectAltName: host "www.southboroughtown.com" matched cert's
"www.southboroughtown.com"' for that particular URL (both my debian 7.68.0 and
my dev version 7.71.0-DEV).

No it doesn't. CNAME is a DNS record, it has nothing to do with what curl does
for certificates and verifying the name fields in it.

Since I cannot reproduce I also cannot understand what you saw. I will however
guess that there were some temporary glitches in that server or something.

If you can show a server with a cert where the name matching fails
reproducible, please point to one.

The name verifction is done immediately prior to the "issuer" verbose output
and its curious that you don't have any output about it! If you build your
own, you can set a break-point in lib/vtls/openssl.c:verifyhost() and see what
it does... 

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-06-17