cURL / Mailing Lists / curl-library / Single Mail

curl-library

Possible SSL bug in libcurl 7.32

From: SinghLevett, Ishan <Ishan.SinghLevett_at_baesystemsdetica.com>
Date: Tue, 1 Oct 2013 18:14:32 +0100

Hi all,

 

Firstly I apologise if this is a) not a bug at all or b) a bug which has
already been discussed but I haven't been able to find any evidence of
it in the archives.

 

I'm using libcurl built with openssl in order to send secure HTTP
requests to a web server. The scenario I have is that I'm not using
CURLOPT_SSL_VERIFYPEER because my server's cert is not authorised (for
the moment) but I am using CURLOPT_SSL_VERIFYHOST so that the client
verifies that the hostname matches the server cert's common name before
the handshake is finalised (and yes I do know that the correct value of
this option is 2 not 1).

 

I've found that in this case, it doesn't matter whether the hostname
matches the certificates common name or not; the connection will succeed
anyway. I've traced this back to ossl_connect_step3() from ssluse.c.

 

Specifically, the following code:

 

if (!data->set.ssl.verifypeer)

{

(void)servercert(conn, connssl, FALSE);
}

else

{

retcode = servercert(conn, connssl, TRUE);
}

 

Which doesn't consider the value of ssl.verifyhost and ignores the
return code from servercert() in my scenario. Since the verify peer and
verify host options are supposed to be independent I'd consider this a
bug.

 

I'd suggest the if statement should look more like this:

 

if (!data->set.ssl.verifypeer && (data->set.ssl.verifyhost < 2))

 

If I can get some agreement on this I'll be more than happy to submit a
fix. Just as happy if this isn't considered a bug and I need to change
the way I use the library.

 

Regards

 

Ishan

Please consider the environment before printing this email.
 
This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.
 
Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory.
 
The contents of this email may relate to dealings with other companies under the control of BAE Systems plc details of which can be found at http://www.baesystems.com/Businesses/index.htm.
 
Detica Limited is a BAE Systems company trading as BAE Systems Detica.
Detica Limited is registered in England and Wales under No: 1337451.
Registered office: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-10-01