I have a certificate with two subject alternative names (DNS names).
Using a variant of curl that calls x509asn1.c:Curl_verifyhost() (such as
one built using GSKit), the certificate validation fails because the code
is returning early in the case where the first alternative name is not a
match:

   /* Check all GeneralNames. */
      for(q = elem.beg; matched != 1 && q < elem.end;) {
        q = Curl_getASN1Element(&name, q, elem.end);
        switch (name.tag) {
        case 2: /* DNS name. */
          i = 0;
          len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
                            name.beg, name.end);
          if(len > 0)
            if(strlen(dnsname) == (size_t) len)
              i = Curl_cert_hostcheck((const char *) dnsname,
conn->host.name);
          free(dnsname);
          if(!i)
            return CURLE_PEER_FAILED_VERIFICATION;
          matched = i;
          break;

It looks to me like this return statement is incorrect--the loop should be
continued and additional SANs should be considered. If none of them
match, then the code falls through to the case of failing (matched == 0)
and rejects the hostname verification.

--
John Kohl
Senior Software Engineer
IBM Systems, Middleware
Littleton, Massachusetts, USA
jtk_at_us.ibm.com

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-12-14