curl-library
Problem with x509 alternativeName in SSL keys.
Date: Tue, 24 Mar 2015 17:08:33 -0700
I am trying to set up some HotSpot 2.0 r2 servers, and part of it wants to use
some fairly fancy keys. From the HS20 example code, I think I should be able to
just use the domain as the DNS...but maybe that is not actually correct?)
The key I am trying to use this this:
[root_at_ben-ota-2 lanforge]# cat hs20/ca/server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 18371062016048610240 (0xfef31f91cd3fbbc0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FI, O=local, CN=Hotspot 2.0 Intermediate CA - 99
Validity
Not Before: Mar 24 18:50:52 2015 GMT
Not After : Mar 23 18:50:52 2017 GMT
Subject: C=FI, O=local, OU=Hotspot 2.0 Online Sign Up Server, CN=osu.ben-ota-2.lanforge.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:7f:32:77:14:af:f1:26:b1:af:22:33:1a:59:
24:d3:fa:85:b9:f9:29:16:d7:73:b7:5a:d3:6e:c9:
94:05:4f:ba:71:c2:33:59:50:7c:04:cf:a9:4b:fa:
aa:17:fa:d1:46:d4:c1:55:34:bd:aa:84:5d:c7:c4:
e2:5c:eb:d5:26:5e:fd:82:f3:79:e3:7e:a7:30:c7:
a3:c6:ca:0d:a8:12:6f:79:1b:3f:33:65:c1:06:b0:
87:3d:76:65:db:b9:79:94:2f:aa:bf:88:07:de:15:
de:0d:76:f5:e6:2e:2d:b2:8e:a8:9b:de:fc:27:1c:
72:cd:77:e9:1c:e4:d8:42:dc:c3:74:b8:33:5f:ab:
4f:a8:d1:97:f5:f9:3b:98:80:4c:ba:f0:d0:0d:57:
43:26:07:ff:e4:6f:4a:ca:46:f7:d1:a0:fa:6b:ff:
ad:78:b2:13:57:bb:92:d3:4e:b0:35:d7:a4:56:0e:
5b:6b:20:1b:3d:a8:3b:08:ff:8e:fa:ab:25:8e:ab:
6b:a5:81:74:49:cd:75:5f:c3:ba:70:0c:29:29:7f:
a2:03:47:88:02:e6:a2:62:60:48:a6:74:da:6d:95:
ea:99:83:dd:d7:75:80:4d:56:c2:6c:56:a0:da:32:
8f:99:95:4c:c2:bd:2c:11:c6:53:b6:53:be:e9:1e:
15:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
08:2F:C3:85:81:C4:D7:4F:44:FC:66:D4:C9:FF:C8:99:04:12:36:7A
X509v3 Authority Key Identifier:
keyid:F9:F7:0B:39:68:33:AF:53:88:60:AC:30:15:D1:5A:C1:BE:29:C1:A3
Authority Information Access:
OCSP - URI:http://ocsp.ben-ota-2.lanforge.local:8888/
X509v3 Subject Alternative Name: critical
DNS:ben-ota-2.lanforge.local, othername:<unsupported>, othername:<unsupported>
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Key Usage: critical
Key Encipherment
1.3.6.1.5.5.7.1.12:
0~.|0z.x0v0t0`..image/png010/0...`.H.e..... E2..6BC.a|.....ZQ.......C..(
h.M0 ..http://osu.w1.fi/w1fi_logo.png0....}......P..zxx
Signature Algorithm: sha256WithRSAEncryption
86:61:2a:93:e3:6d:d1:0f:bb:5b:93:96:5b:34:9d:14:f6:02:
57:35:c2:9b:fd:5c:c6:24:15:97:79:a3:15:7f:ef:f3:9e:59:
77:3a:76:3a:42:f9:d6:a4:20:96:04:85:27:ff:c0:2d:37:52:
99:b3:52:2d:48:67:e0:12:19:9f:cc:3b:85:ea:ad:05:4e:c8:
b5:76:80:eb:28:91:48:ce:6a:bc:ce:9a:7e:9c:23:f5:aa:36:
09:d4:cf:01:f1:3e:37:18:72:5f:fa:6c:86:8d:36:50:7b:ad:
c2:24:f6:27:da:5c:31:0e:9e:1e:d5:15:fd:84:3d:a6:36:10:
91:64:30:c7:36:d8:f6:18:55:8e:32:7f:a5:6a:0e:95:a4:7c:
64:23:0d:ef:42:2f:f6:74:11:2c:90:3b:ce:77:3b:df:e7:c2:
56:4b:0e:6a:3b:ee:27:e2:eb:69:29:87:80:ed:75:d4:34:cf:
87:75:c6:62:81:59:04:4d:0a:25:2e:48:ac:06:b5:dd:a2:ea:
fd:a3:e4:68:be:64:e8:6b:af:fc:97:b0:71:cd:54:f6:2f:58:
4c:a0:72:bc:7e:28:9a:d2:6f:38:25:b8:dd:01:97:53:fd:7c:
0a:37:cd:8a:e0:f5:60:1e:90:05:b9:c3:43:d7:1d:8a:1a:1b:
68:d1:36:dc
-----BEGIN CERTIFICATE-----
MIIFCzCCA/OgAwIBAgIJAP7zH5HNP7vAMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNV
BAYTAkZJMQ4wDAYDVQQKDAVsb2NhbDEpMCcGA1UEAwwgSG90c3BvdCAyLjAgSW50
ZXJtZWRpYXRlIENBIC0gOTkwHhcNMTUwMzI0MTg1MDUyWhcNMTcwMzIzMTg1MDUy
WjBwMQswCQYDVQQGEwJGSTEOMAwGA1UECgwFbG9jYWwxKjAoBgNVBAsMIUhvdHNw
b3QgMi4wIE9ubGluZSBTaWduIFVwIFNlcnZlcjElMCMGA1UEAwwcb3N1LmJlbi1v
dGEtMi5sYW5mb3JnZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMx/MncUr/Emsa8iMxpZJNP6hbn5KRbXc7da027JlAVPunHCM1lQfATPqUv6
qhf60UbUwVU0vaqEXcfE4lzr1SZe/YLzeeN+pzDHo8bKDagSb3kbPzNlwQawhz12
Zdu5eZQvqr+IB94V3g129eYuLbKOqJve/Ccccs136Rzk2ELcw3S4M1+rT6jRl/X5
O5iATLrw0A1XQyYH/+RvSspG99Gg+mv/rXiyE1e7ktNOsDXXpFYOW2sgGz2oOwj/
jvqrJY6ra6WBdEnNdV/DunAMKSl/ogNHiALmomJgSKZ02m2V6pmD3dd1gE1WwmxW
oNoyj5mVTMK9LBHGU7ZTvukeFT0CAwEAAaOCAc4wggHKMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFAgvw4WBxNdPRPxm1Mn/yJkEEjZ6MB8GA1UdIwQYMBaAFPn3Czlo
M69TiGCsMBXRWsG+KcGjMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAYYqaHR0
cDovL29jc3AuYmVuLW90YS0yLmxhbmZvcmdlLmxvY2FsOjg4ODgvMHoGA1UdEQEB
/wRwMG6CGGJlbi1vdGEtMi5sYW5mb3JnZS5sb2NhbKAlBgsrBgEEAYK+aAEBAaAW
DBRlbmdsb2NhbCBURVNUSU5HIFVTRaArBgsrBgEEAYK+aAEBAaAcDBpmaW5sb2Nh
bCBURVNUSUvDg8KEWVRUw4PCljAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATAOBgNV
HQ8BAf8EBAMCBSAwgY0GCCsGAQUFBwEMBIGAMH6gfDB6oHgwdjB0MGAWCWltYWdl
L3BuZzAxMC8wCwYJYIZIAWUDBAIBBCBFMvfsNkJDgWF8A8bOh7VaUdbnF3/6/aJD
zr8oCmiVTTAgFh5odHRwOi8vb3N1LncxLmZpL3cxZmlfbG9nby5wbmcwEAICHX0C
AgCAAgFQhAN6eHgwDQYJKoZIhvcNAQELBQADggEBAIZhKpPjbdEPu1uTlls0nRT2
Alc1wpv9XMYkFZd5oxV/7/OeWXc6djpC+dakIJYEhSf/wC03UpmzUi1IZ+ASGZ/M
O4XqrQVOyLV2gOsokUjOarzOmn6cI/WqNgnUzwHxPjcYcl/6bIaNNlB7rcIk9ifa
XDEOnh7VFf2EPaY2EJFkMMc22PYYVY4yf6VqDpWkfGQjDe9CL/Z0ESyQO853O9/n
wlZLDmo77ifi62kph4DtddQ0z4d1xmKBWQRNCiUuSKwGtd2i6v2j5Gi+ZOhrr/yX
sHHNVPYvWEygcrx+KJrSbzgluN0Bl1P9fAo3zYrg9WAekAW5w0PXHYoaG2jRNtw=
-----END CERTIFICATE-----
The curl output (slightly patched to provide more details), is below:
CURLINFO_TEXT[SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384]
CURLINFO_TEXT[--- Certificate chain]
CURLINFO_TEXT[ 0 Subject: C=FI; O=local; OU=Hotspot 2.0 Online Sign Up Server; CN=osu.ben-ota-2.lanforge.local]
CURLINFO_TEXT[ Issuer: C=FI; O=local; CN=Hotspot 2.0 Intermediate CA - 99]
CURLINFO_TEXT[ Version: 3 (0x2)]
CURLINFO_TEXT[ Serial Number: ]
CURLINFO_TEXT[ Signature Algorithm: sha256WithRSAEncryption]
CURLINFO_TEXT[ Start date: 2015-03-24 18:50:52 GMT]
CURLINFO_TEXT[ Expire date: 2017-03-23 18:50:52 GMT]
CURLINFO_TEXT[ Public Key Algorithm: rsaEncryption]
CURLINFO_TEXT[ RSA Public Key (2048 bits)]
CURLINFO_TEXT[ rsa(n):
cc:7f:32:77:14:af:f1:26:b1:af:22:33:1a:59:24:d3:fa:85:b9:f9:29:16:d7:73:b7:5a:d3:6e:c9:94:05:4f:ba:71:c2:33:59:50:7c:04:cf:a9:4b:fa:aa:17:fa:d1:46:d4:c1:55:34:bd:aa:84:5d:c7:c4:e2:5c:eb:d5:26:5e:fd:82:f3:79:e3:7e:a7:30:c7:a3:c6:ca:0d:a8:12:6f:79:1b:3f:33:65:c1:06:b0:87:3d:76:65:db:b9:79:94:2f:aa:bf:88:07:de:15:de:0d:76:f5:e6:2e:2d:b2:8e:a8:9b:de:fc:27:1c:72:cd:77:e9:1c:e4:d8:42:dc:c3:74:b8:33:5f:ab:4f:a8:d1:97:f5:f9:3b:98:80:4c:ba:f0:d0:0d:57:43:26:07:ff:e4:6f:4a:ca:46:f7:d1:a0:fa:6b:ff:ad:78:b2:13:57:bb:92:d3:4e:b0:35:d7:a4:56:0e:5b:6b:20:1b:3d:a8:3b:08:ff:8e:fa:ab:25:8e:ab:6b:a5:81:74:49:cd:75:5f:c3:ba:70:0c:29:29:7f:a2:03:47:88:02:e6:a2:62:60:48:a6:74:da:6d:95:ea:99:83:dd:d7:75:80:4d:56:c2:6c:56:a0:da:32:8f:99:95:4c:c2:bd:2c:11:c6:53:b6:53:be:e9:1e:15:3d:]
CURLINFO_TEXT[ rsa(e): 01:00:01:]
CURLINFO_TEXT[X509v3 Basic Constraints: (critical)]
CURLINFO_TEXT[ CA:FALSE]
CURLINFO_TEXT[X509v3 Subject Key Identifier: ]
CURLINFO_TEXT[ 08:2F:C3:85:81:C4:D7:4F:44:FC:66:D4:C9:FF:C8:99:04:12:36:7A]
CURLINFO_TEXT[X509v3 Authority Key Identifier: ]
CURLINFO_TEXT[ keyid:F9:F7:0B:39:68:33:AF:53:88:60:AC:30:15:D1:5A:C1:BE:29:C1:A3]
CURLINFO_TEXT[Authority Information Access: ]
CURLINFO_TEXT[ OCSP-URI:http://ocsp.ben-ota-2.lanforge.local:8888/]
CURLINFO_TEXT[X509v3 Subject Alternative Name: (critical)]
CURLINFO_TEXT[ DNS:ben-ota-2.lanforge.local,othername:<unsupported>,othername:<unsupported>]
CURLINFO_TEXT[X509v3 Extended Key Usage: (critical)]
CURLINFO_TEXT[ TLSWebServerAuthentication]
CURLINFO_TEXT[X509v3 Key Usage: (critical)]
CURLINFO_TEXT[ KeyEncipherment]
CURLINFO_TEXT[1.3.6.1.5.5.7.1.12: ]
CURLINFO_TEXT[ 0~.|0z.x0v0t0`..image/png010/0...`.H.e.....E2..6BC.a|.....ZQ.......C..(, h.M0..http://osu.w1.fi/w1fi_logo.png0....}......P..zxx]
CURLINFO_TEXT[ Signature:
86:61:2a:93:e3:6d:d1:0f:bb:5b:93:96:5b:34:9d:14:f6:02:57:35:c2:9b:fd:5c:c6:24:15:97:79:a3:15:7f:ef:f3:9e:59:77:3a:76:3a:42:f9:d6:a4:20:96:04:85:27:ff:c0:2d:37:52:99:b3:52:2d:48:67:e0:12:19:9f:cc:3b:85:ea:ad:05:4e:c8:b5:76:80:eb:28:91:48:ce:6a:bc:ce:9a:7e:9c:23:f5:aa:36:09:d4:cf:01:f1:3e:37:18:72:5f:fa:6c:86:8d:36:50:7b:ad:c2:24:f6:27:da:5c:31:0e:9e:1e:d5:15:fd:84:3d:a6:36:10:91:64:30:c7:36:d8:f6:18:55:8e:32:7f:a5:6a:0e:95:a4:7c:64:23:0d:ef:42:2f:f6:74:11:2c:90:3b:ce:77:3b:df:e7:c2:56:4b:0e:6a:3b:ee:27:e2:eb:69:29:87:80:ed:75:d4:34:cf:87:75:c6:62:81:59:04:4d:0a:25:2e:48:ac:06:b5:dd:a2:ea:fd:a3:e4:68:be:64:e8:6b:af:fc:97:b0:71:cd:54:f6:2f:58:4c:a0:72:bc:7e:28:9a:d2:6f:38:25:b8:dd:01:97:53:fd:7c:0a:37:cd:8a:e0:f5:60:1e:90:05:b9:c3:43:d7:1d:8a:1a:1b:68:d1:36:dc:]
CURLINFO_TEXT[Server certificate:]
CURLINFO_TEXT[ subject: C=FI; O=local; OU=Hotspot 2.0 Online Sign Up Server; CN=osu.ben-ota-2.lanforge.local]
CURLINFO_TEXT[ start date: 2015-03-24 18:50:52 GMT]
CURLINFO_TEXT[ expire date: 2017-03-23 18:50:52 GMT]
CURLINFO_TEXT[ OPEN-SSL: subjectAltName does not match, altptr: ben-ota-2.lanforge.local altlen: 24 host: osu.ben-ota-2.lanforge.local]
CURLINFO_TEXT[ OPEN-SSL: subjectAltName does not match osu.ben-ota-2.lanforge.local]
CURLINFO_TEXT[SSL: no alternative certificate subject name matches target host name 'osu.ben-ota-2.lanforge.local']
CURLINFO_TEXT[Marked for [closure]: Failed HTTPS connection]
CURLINFO_TEXT[Closing connection 0]
CURLINFO_TEXT[The cache now contains 0 members]
CURLINFO_TEXT[TLSv1.2, TLS alert, Client hello (1):]
debug - CURLINFO_SSL_DATA_OUT - 2
CURLINFO_TEXT[Expire cleared]
curl_easy_perform() failed: SSL peer certificate or SSH remote key was not OK
HTTP error: SSL peer certificate or SSH remote key was not OK
Any idea if this is a problem in curl or not?
Thanks,
Ben
-- Ben Greear <greearb_at_candelatech.com> Candela Technologies Inc http://www.candelatech.com ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2015-03-25