Bugs item #3573889, was opened at 2012-10-02 12:11
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3573889&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: https
Group: bad behaviour
Status: Pending
Resolution: Invalid
Priority: 5
Private: No
Submitted By: Morac (mkraft)
Assigned to: Daniel Stenberg (bagder)
Summary: BADCERT_CN_MISMATCH for valid certificate

Initial Comment:
I'm trying to access https://www.wd2go.com. The certificate is valid and the chain goes from *.wd2go.com to "DigiCert High Assurance CA-3" to "DigiCert High Assurance EV Root CA" to "GTE CyberTrust Global Root". I'm using the http://curl.haxx.se/ca/cacert.pem certificate file. In curl 7.27.0 this results in a BADCERT_CN_MISMATCH error. It works fine under curl 7.23.1.

The web site loads fine in Firefox. I do notice that the "DigiCert High Assurance EV Root CA" certificate in Firefox does not match the one in cacert.pem. It didn't work when I added the Firefox certificate to the cacert.pem file. It didn't even work, when I added the *.wd2go.com certificate to that file.

Again curl 7.23.1 works, 7.27.0 does not.

The output for curl 7.27.0 is:

* About to connect() to www.wd2go.com port 443 (#0)
* Trying 198.107.148.110...
* connected
* Connected to www.wd2go.com (198.107.148.110) port 443 (#0)
* PolarSSL: Connecting to www.wd2go.com:443
* PolarSSL: Handshake complete, cipher is SSL-RSA-RC4-128-MD5
* Cert verify failed: BADCERT_CN_MISMATCH
* Closing connection #0
curl: (51) Cert verify failed: BADCERT_CN_MISMATCH

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2012-11-02 02:13

Message:
Would you mind creating a patch for those "manual" changes necessary so
that we can have the next release work fine with polarssl 1.2.0 ?

----------------------------------------------------------------------

Comment By: https://www.google.com/accounts ()
Date: 2012-11-01 23:47

Message:
This issue is nothing to do with libcurl.
When I used curl7.28.0 + Polarssl 1.1.4, I met exactly the same problem.
But when I move Polarssl 1.2.0 which was just released on Oct 31, this
issue is resolved.
(You have to modify curl-7.28.0/lib/polarssl.c manually to make curl work
with polarssl 1.2.0.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-10-23 14:03

Message:
curl 7.28.0 (i486-pc-linux-gnu) libcurl/7.28.0 OpenSSL/1.0.1c zlib/1.2.7
libidn/1.25 libssh2/1.4.2 librtmp/2.3, instead hangs on that site. I can
repeat the problem with polarssl 1.1.0 on my machine.

It so looks like a bad server, with possibly some quirk in polarssl. I
cannot see a bug in curl.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-10-06 13:42

Message:
It certainly makes me suspect the problem is within PolarSSL but I have no
proof of that yet...

----------------------------------------------------------------------

Comment By: Morac (mkraft)
Date: 2012-10-04 09:31

Message:
The 7.23.0 version is listed as:

curl 7.23.1 (mipsel-unknown-linux-gnu) libcurl/7.23.1 OpenSSL/1.0.1c
zlib/1.2.7
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smtp smtps
tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

The 7.27.0 version is listed as:

curl 7.27.0 (mipsel-unknown-linux-gnu) libcurl/7.27.0 PolarSSL/1.1.4
zlib/1.2.7
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp
smtp smtps telnet tftp
Features: IPv6 Largefile SSL libz

It looks like the old one uses OpenSSL, while the new one uses PolarSSL.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-10-02 13:49

Message:
Are you using the same SSL library (and version) with both curl versions?
If so, which PolarSSL version are you using?

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3573889&group_id=976
Received on 2012-11-02