cURL / Mailing Lists / curl-library / Single Mail

curl-library

Recent changes in CN/subjectAltName verification, email in CN

From: Dima Q <dimaqq_at_gmail.com>
Date: Sun, 27 Sep 2009 18:39:19 +0300

I recently upgraded curl from 7.19.4 to 7.19.6 to get ssl resume support
and one of my server certificates stopped working...

The cert was created with TinyCA, so I can't attest to it being created
correctly... anyway, the relevant part of the cert is, as reported by
openssl x509:

...
Subject: C=FI, ST=Uusimaa, L=Espoo, O=Enkora Oy Ltd, OU=Access Control
Systems, CN=nexus.enkora.fi/emailAddress=root_at_enkora.fi
...
X509v3 Subject Alternative Name: email:root_at_enkora.fi
...

I understand there were at least 2 recent fixes in curl/openssl, namely
subjectAltName vs CN and null byte in CN.

Is my cert fundamentally broken and it was just luck that it worked with
curl before (and also with openssl s_client and firefox), or did the
hostname/email thing break in curl?

Certificate is live on https://nexus.enkora.fi and CA (self-made too) is
at http://nexus.enkora.fi/setup/

Thanks
Dima Q.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-09-27

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Recent changes in CN/subjectAltName verification, email in CN"
Previous message: Guenter: "Re: NSS Initialization flags"
Next in thread: Daniel Stenberg: "Re: Recent changes in CN/subjectAltName verification, email in CN"
Reply: Daniel Stenberg: "Re: Recent changes in CN/subjectAltName verification, email in CN"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]