curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

A CN-only certificate verification regression

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 8 Mar 2022 14:14:46 +0100 (CET)

Hello team,

Issue #8559 was submitted, identifying a flaw in the OpenSSL backend when
curl's verified the CN field of a certificate. It returns error ("out of
memory") for all such certficates. The fix is straight-forward and should land
shortly [#8560].

I'm just telling you this to keep the wider user base informed. I don't
consider this problem serious enough for a patch release. Public CAs don't
allow certificates with CN-only (thus avoding this bug), and according to
stats (linked to in the issue), only 1.57% of private CAs use this feature.

Of course, if you think otherwise I'm sure you'll let me know.

#8559 = https://github.com/curl/curl/issues/8559
#8560 = https://github.com/curl/curl/pull/8560

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-03-08