Mailing Lists

curl-tracker Archives

[curl:bugs] #1471 CURLOPT_PINNEDPUBLICKEY documentation incomplete

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Mon, 19 Jan 2015 22:22:00 +0000

Thanks but it doesn't work exactly like that. servercert() would still skip the pin check when 'result' is non-zero.

What do you think about the attached patch?

Attachment: 0001-openssl-do-public-key-pinning-check-independently.patch (2.4 kB; application/x-patch)

---
** [bugs:#1471] CURLOPT_PINNEDPUBLICKEY documentation incomplete**
**Status:** open-confirmed
**Created:** Fri Jan 16, 2015 03:06 PM UTC by Kyle
**Last Updated:** Sat Jan 17, 2015 12:57 AM UTC
**Owner:** Daniel Stenberg
The documentation for CURLOPT_PINNEDPUBLICKEY available at:
<http://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html>
Does not state what happens when
BOTH CURLOPT_SSL_VERIFYHOST == 0 AND CURLOPT_SSL_VERIFYPEER == 0.
This is bad because (at least vtls/openssl.c) ignores the pinned public
key (other than to emit a verbose mode message) when VERIFYHOST and VERIFYPEER
are off.
For example (using curl 7.40 built with OpenSSL):
    cd /tmp
    openssl genrsa | openssl rsa -pubout > dummykey.pem
    curl -vI --pinnedpubkey dummykey.pem https://github.com/
This appears in the output:
    * SSL: public key does not match pinned public key!
    curl: (90) SSL: public key does not match pinned public key!
and curl's exit status is 90.  However, if we repeat like so:
    curl -vI -k --pinnedpubkey dummykey.pem https://github.com/
Then only this appears in the output:
    * SSL: public key does not match pinned public key!
And curl's exit status is 0.
That is completely unexpected and not mentioned anywhere in the docs for CURLOPT_PINNEDPUBLICKEY, so either it's a bug or the docs are wrong.  And while you might also want to VERIFYHOST when using a pinned public key, that shouldn't be required to use one.
Please take appropriate action.  I'm inclined to believe it's a bug because the whole point of using pinned public keys is so that you can completely ignore trusted root certificates etc. in favor of a pinned public key.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

Received on 2015-01-19

This message: [ Message body ]
Next message: Kyle: "[curl:bugs] #1471 CURLOPT_PINNEDPUBLICKEY documentation incomplete"
Previous message: Christopher Araman: "[curl:bugs] Re: #1462 SSL connection returns garbage data"
In reply to: Kyle: "[curl:bugs] #1471 CURLOPT_PINNEDPUBLICKEY documentation incomplete"
Next in thread: Kyle: "[curl:bugs] #1471 CURLOPT_PINNEDPUBLICKEY documentation incomplete"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

These mail archives are generated by hypermail.