cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl command line option to ignore Subject validation

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 17 Dec 2015 16:25:29 -0500

On 12/17/2015 3:01 AM, Gaurav Rastogi -X (garastog - ARICENT
TECHNOLOGIES MAURIITIUS LIMITED at Cisco) wrote:
>
> [root_at_ucbu-aricent-vm418 ~]# curl -V
>
> curl 7.19.7 (i686-redhat-linux-gnu) libcurl/7.46.0 OpenSSL/1.0.1e
> zlib/1.2.3
>
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s
> rtsp smb smbs smtp smtps telnet tftp
>
> Features: IPv6 Largefile NTLM SSL libz
>
> *From:*curl-library [mailto:curl-library-bounces_at_cool.haxx.se] *On
> Behalf Of *Ray Satiro via curl-library
> *Sent:* Thursday, December 17, 2015 12:31 PM
> *To:* curl-library_at_cool.haxx.se
> *Subject:* Re: curl command line option to ignore Subject validation
>
> On 12/17/2015 12:25 AM, Gaurav Rastogi -X (garastog - ARICENT
> TECHNOLOGIES MAURIITIUS LIMITED at Cisco) wrote:
>
> Hi All,
>
> I ve upgraded CURL from 7.30 to 7.46.
>
> But here I’m facing one issue in one of the curl command line execution.
>
> In version 7.30 below command works fine for me:
>
> curl -s -k -m 10 -w "\n%{http_code}" http://localhost:8080/logo.gif
> <http://localhost:8080/logo.gif>
>
> Whereas when I upgraded curl to 7.46 same command failed due to CN
> validation with below error:
>
> curl -vi -s -k -m 10 -w "\n%{http_code}" https://localhost:8443/logo.gif
>
> * Trying 127.0.0.1...
>
> * Connected to localhost (127.0.0.1) port 8443 (#0)
>
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>
> * successfully set certificate verify locations:
>
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>
> CApath: none
>
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>
> * TLSv1.2 (IN), TLS handshake, Finished (20):
>
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>
> * Server certificate:
>
> * subject: C=IN; O=abc; OU=Aricent; CN=vm418.abc.com;
> ST=Haryana; L=Gurgaon
>
> * start date: Dec 12 04:27:29 2015 GMT
>
> * expire date: Dec 10 04:27:28 2020 GMT
>
> * *SSL: certificate subject name 'vm418.abc.com' does not match target
> host name 'localhost'*
>
> * Closing connection 0
>
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
>
> Could you please provide me an option so that I can go ahead without
> CN validation?
>
> Also let me know in which version these changes are introduced.
>
>
> I can't reproduce this. That error comes from the verifyhost function
> in openssl.c [1] but it's not called unless data->set.ssl.verifyhost
> is != 0. I've gone through the code and I just don't see how this
> could have happened unless maybe SSL support is for some reason
> missing from your libcurl version information? If -k and the curl tool
> doesn't find SSL support in libcurl [2] it won't set options to turn
> off verifypeer/host. What does curl -V show?
>
>
> [1]:
> https://github.com/bagder/curl/blob/curl-7_46_0/lib/vtls/openssl.c#L2525-L2532
> [2]:
> https://github.com/bagder/curl/blob/curl-7_46_0/src/tool_operate.c#L1027
>

Please don't top post you're making this thread harder to follow. curl
7.19.7 is 6+ years old and when you use such an old version of the tool
with such a recent version of the library it's not farfetched that you
could end up with unexpected results like what you are seeing. Some
options or their values set by the 7.19.7 tool may be deprecated or
removed from the latest version of the library. This is rare however I
think this might be what's happening.

According to the code for curl tool v7.19.7 it sets
CURLOPT_SSL_VERIFYHOST to 1 to disable host verification when -k [1].
But 1 is no longer acknowledged [2] as of 3 years ago (curl-7_28_1), and
in the future will be the same as enabling host verification [3]. When 1
is set by the tool the library will return an error if the library is
7.28.1+. As noted this may change in the future.

At the moment I'm not able to build the 7.19.7 tool to confirm but my
theory is that the earlier version of the tool does not abort on the
error. More recent versions (starting when? don't know) of the curl tool
should abort on this error. I would use a much later version of the
tool, preferably the same as your library version 7.46.

[1]: https://github.com/bagder/curl/blob/curl-7_19_7/src/main.c#L4775-L4779
[2]: https://github.com/bagder/curl/commit/da82f59
[3]: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-12-17