cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl command line option to ignore Subject validation

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 17 Dec 2015 02:01:19 -0500

On 12/17/2015 12:25 AM, Gaurav Rastogi -X (garastog - ARICENT
TECHNOLOGIES MAURIITIUS LIMITED at Cisco) wrote:
>
> Hi All,
>
> I ve upgraded CURL from 7.30 to 7.46.
>
> But here I’m facing one issue in one of the curl command line execution.
>
> In version 7.30 below command works fine for me:
>
> curl -s -k -m 10 -w "\n%{http_code}" http://localhost:8080/logo.gif
> <http://localhost:8080/logo.gif>
>
> Whereas when I upgraded curl to 7.46 same command failed due to CN
> validation with below error:
>
> curl -vi -s -k -m 10 -w "\n%{http_code}" https://localhost:8443/logo.gif
>
> * Trying 127.0.0.1...
>
> * Connected to localhost (127.0.0.1) port 8443 (#0)
>
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>
> * successfully set certificate verify locations:
>
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>
> CApath: none
>
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>
> * TLSv1.2 (IN), TLS handshake, Finished (20):
>
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>
> * Server certificate:
>
> * subject: C=IN; O=abc; OU=Aricent; CN=vm418.abc.com;
> ST=Haryana; L=Gurgaon
>
> * start date: Dec 12 04:27:29 2015 GMT
>
> * expire date: Dec 10 04:27:28 2020 GMT
>
> * *SSL: certificate subject name 'vm418.abc.com' does not match target
> host name 'localhost'*
>
> * Closing connection 0
>
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
>
> Could you please provide me an option so that I can go ahead without
> CN validation?
>
> Also let me know in which version these changes are introduced.
>
>

I can't reproduce this. That error comes from the verifyhost function in
openssl.c [1] but it's not called unless data->set.ssl.verifyhost is !=
0. I've gone through the code and I just don't see how this could have
happened unless maybe SSL support is for some reason missing from your
libcurl version information? If -k and the curl tool doesn't find SSL
support in libcurl [2] it won't set options to turn off verifypeer/host.
What does curl -V show?

[1]:
https://github.com/bagder/curl/blob/curl-7_46_0/lib/vtls/openssl.c#L2525-L2532
[2]:
https://github.com/bagder/curl/blob/curl-7_46_0/src/tool_operate.c#L1027

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-12-17