diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2009-09-16 20:44:18 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2009-09-16 20:44:18 +0000 |
| commit | 250ba9949894571052888cd2065defbb3e00b183 (patch) | |
| tree | bd368d9b53bf8d43cbee54515f097b76a16843e2 | |
| parent | c2c3a46e3e69afb6f34410b89919b2e5c18ce1c4 (diff) | |
- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
field in the certficate it had to match and so even if non-DNS and non-IP
entry was present it caused the verification to fail.
| -rw-r--r-- | CHANGES | 6 | ||||
| -rw-r--r-- | RELEASE-NOTES | 3 | ||||
| -rw-r--r-- | lib/ssluse.c | 17 |
3 files changed, 19 insertions, 7 deletions
@@ -6,6 +6,12 @@ Changelog +Daniel Stenberg (16 Sep 2009) +- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL- + powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name + field in the certficate it had to match and so even if non-DNS and non-IP + entry was present it caused the verification to fail. + Daniel Fandrich (15 Sep 2009) - Moved the libssh2 checks after the SSL library checks. This helps when statically linking since libssh2 needs the SSL library link flags to be diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 7136fd55c..6077ef25f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -28,6 +28,7 @@ This release includes the following bugfixes: o configure uses pkg-config for cross-compiles as well o improved NSS detection in configure o cookie expiry date at 1970-jan-1 00:00:00 + o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name This release includes the following known bugs: @@ -38,6 +39,6 @@ advice from friends like these: Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet, Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson, - Claes Jakobsson + Claes Jakobsson, Sven Anders Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/ssluse.c b/lib/ssluse.c index aaf5df05a..c0c1ee6de 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1056,7 +1056,8 @@ cert_hostcheck(const char *match_pattern, const char *hostname) static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) { - bool matched = FALSE; /* no alternative match yet */ + int matched = -1; /* -1 is no alternative match yet, 1 means match and 0 + means mismatch */ int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */ size_t addrlen = 0; struct SessionHandle *data = conn->data; @@ -1093,7 +1094,7 @@ static CURLcode verifyhost(struct connectdata *conn, numalts = sk_GENERAL_NAME_num(altnames); /* loop through all alternatives while none has matched */ - for (i=0; (i<numalts) && !matched; i++) { + for (i=0; (i<numalts) && (matched != 1); i++) { /* get a handle to alternative name number i */ const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i); @@ -1119,14 +1120,18 @@ static CURLcode verifyhost(struct connectdata *conn, /* if this isn't true, there was an embedded zero in the name string and we cannot match it. */ cert_hostcheck(altptr, conn->host.name)) - matched = TRUE; + matched = 1; + else + matched = 0; break; case GEN_IPADD: /* IP address comparison */ /* compare alternative IP address if the data chunk is the same size our server IP address is */ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) - matched = TRUE; + matched = 1; + else + matched = 0; break; } } @@ -1134,10 +1139,10 @@ static CURLcode verifyhost(struct connectdata *conn, GENERAL_NAMES_free(altnames); } - if(matched) + if(matched == 1) /* an alternative name matched the server hostname */ infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname); - else if(altnames) { + else if(matched == 0) { /* an alternative name field existed, but didn't match and then we MUST fail */ infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname); |