Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Fetching the detail of SSL Host verification failure

From: Basuke Suzuki via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 23 Oct 2018 17:52:47 +0000

Hi libcurl guys,

We have an issue when libcurl fails verification on HTTPS communication. Here's the situation:

1. OpenSSL verify certificate successfully.
2. In vtls/openssl.c: verifyhost() returns error because the verification of the hostname fails.
3. All verification errors are CURLE_PEER_FAILED_VERIFICATION (51).
4. Actually there're four cases:
  a. no alternative certificate subject name matches target host name '%s'
  b. illegal cert name field
  c. unable to obtain common name from peer certificate
  d. certificate subject name '%s' does not match target host name '%s'

We need to distinguish these four cases from CURLE_PEER_FAILED_VERIFICATION.
So we want to fix this by extending the api. There are three options we can take and want to hear your opinion.

1) Simply defines new CURLE codes for each four cases and return them.

This is the simple solution, but it will return different error code for existing application.

2) Add new option to return new error code.

Define new option such as CURLOPT_SSL_VERIFYHOST_EXTENDED_RESULT to change the error code.
This protects the existing application and safely extends the api.

3) Define new value to CURLOPT_SSL_VERIFYHOST.

Currently 0 or 2 is set for CURLOPT_SSL_VERIFYHOST for this option. Then define new value 3 to return extended result code.

4) Use CURLINFO_SSL_VERIFYRESULT.

Because OpenSSL returns no validation error, the field for this verify result is available in the situation.
When verifyhost() fails, return code is unchanged from CURLE_PEER_FAILED_VERIFICATION and put newly defined error code into data->set.ssl. certverifyresult which is available by curl_easy_getinfo with CURLINFO_SSL_VERIFYRESULT. This doesn't break existing application.

We are ready to send a PR for solution 4, but before sending this, we want to hear the voice of community.

Thanks.
---------
Basuke Suzuki
SONY PlayStation

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-23