curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl not verifying proxy url against IP address present insubject alternate name

From: Hemant Kumar via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 30 Nov 2017 08:09:22 +0530

On Thu, Nov 30, 2017 at 2:57 AM, Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:

> [image: Boxbe] <https://www.boxbe.com/overview> This message is eligible
> for Automatic Cleanup! (curl-library_at_cool.haxx.se) Add cleanup rule
> <https://www.boxbe.com/popup?url=https%3A%2F%2Fwww.boxbe.com%2Fcleanup%3Fkey%3Deqtrr2wLiOuGvsaFcYD53q1hodBOjHd7y4SONMCI4E4%253D%26token%3DzkMMwNeJFRGVuF8RQ8AmNrvRyXeqA1rWM3fo8NbfnteOqOFe9BoR0qst%252BmVOnO3PuqHtll5Y9fAt1eJBTLHzbkyTSqJj%252FCUN%252B%252FynT5GYEW2LzQSEcnyNmPSZJ2szmPZZzoglyMYq6THxksKCPGfr2g%253D%253D&tc_serial=34672685446&tc_rand=1281859475&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001>
> | More info
> <http://blog.boxbe.com/general/boxbe-automatic-cleanup?tc_serial=34672685446&tc_rand=1281859475&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001>
>
> On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
>
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS).Â
> While establishing SSL connection with the proxy, the certificate shared
> by proxy has both CN and SAN entries as below -
>
> Subject: C=IN, ST=KA, L=BGL, O=xxxx, OU=x, *CN=host.cust1.com <http://host.cust1.com>*/emailAddress=email@domain.com
>
> X509v3 Subject Alternative Name:
> DNS:host.cust1.com, *DNS:172.73.74.75*, DNS:securepr.cust1.com <http://secureprofile.cust1.com>
>
> In my code when I use proxy's FQDN(host.cust1.com) as the proxy URL to access then the ssl verification works fine but when I try using the IP Address I get below error -
>
> "SSL: no alternative certificate subject name matches target host name '172.73.74.75'"
>
> Should not libcurl verify the proxy URL against all the subject alternate
> names present in the received certificate or am I missing something here?
>
> Software versions used - PycURL/7.43.0 libcurl/7.56.1
>
>
> In my opinion, no.
>
> Is the PycURL string supposed to include the libcurl version string? What
> SSL library is libcurl using? It should have shown you the SSL library in
> the version information. I will assume OpenSSL for this reply.
>
> libcurl w/ OpenSSL will only use iPAddress altname field for IP addresses
> and dNSName altname field for host names [1]. There's some anecdotal
> evidence of clients that accept IP address in dNSName [2]. I believe those
> clients are wrong. The original RFC 2818 is unambiguous [3]:
>
> Â Â In some cases, the URI is specified as an IP address rather than a
> Â Â hostname. In this case, the iPAddress subjectAltName must be present
> Â Â in the certificate and must exactly match the IP in the URI.
>
>
> [1]: https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/
> openssl.c#L1389
> [2]: https://security.stackexchange.com/a/160809
> [3]: https://tools.ietf.org/html/rfc2818#page-5
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

Thanks Ray for the reply. Actually its a piece of software which generates
the CSR taking Subject Alt names as arguments.
And it does not seem to distinguish between hostname/IPAddress passed as
argument and keeps even the IPAddress in the dNSName field of Subject Alt
Names.

Regarding the version string, yes the PycURL version string contains
libcurl as well as SSL library version info -

>>> import pycurl

>>> pycurl.version
'PycURL/7.43.0 libcurl/7.56.1 OpenSSL/1.0.2l zlib/1.2.11 c-ares/1.13.0'

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-30