curl-users
[PATCH]add --peer-CN-regex option to the command line tool
Date: Tue, 3 Jun 2003 22:36:28 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 03 June 2003 15:21, Götz Babin-Ebell wrote:
> I think it would be better to add a name that is checked
> against the DN of the certificate.
>
> Meaning:
> Host name: some.com
> CN of DN: *.company.com
> set name: www.company.com
done. (oder feddisch, wie der Hesse sagt).
the patch below adds a "--peer-CN-regex <regular expression>" to the command
line tool and a new "CURLOPT_SSLPEERREGEX" to libcurl. Here an example what
it does:
First, without it. The connection is refused by curl. The peer Common Name is
'www.gmx.net' but the requested host is 'gmx.net'.
opi:~/FTP/curl-7.10.5.new # curl https://gmx.net -I -v
* About to connect() to gmx.net:443
* Connected to www.gmx.net (213.165.65.100) port 443
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=DE/ST=Bavaria/L=Munich/O=GMX GmbH/CN=www.gmx.net
* start date: 2003-02-20 10:45:14 GMT
* expire date: 2005-02-19 10:45:14 GMT
* SSL: certificate subject name 'www.gmx.net' does not match target host name
'gmx.net'
* Closing connection #0
curl: (51) SSL: certificate subject name 'www.gmx.net' does not match target
host name 'gmx.net'
With the new option the connection is accepted.
opi:~/FTP/curl-7.10.5.new # curl https://gmx.net -I -v --peer-CN-regex
'([^.]*\.)?gmx\.[^.]+$'
* About to connect() to gmx.net:443
* Connected to www.gmx.net (213.165.65.100) port 443
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=DE/ST=Bavaria/L=Munich/O=GMX GmbH/CN=www.gmx.net
* start date: 2003-02-20 10:45:14 GMT
* expire date: 2005-02-19 10:45:14 GMT
* common name: www.gmx.net (matched)
* issuer: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
CA/Email=server-certs_at_thawte.com
> HEAD / HTTP/1.1
User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.6g ipv6
zlib/1.1.4
Host: gmx.net
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 03 Jun 2003 20:36:08 GMT
Date: Tue, 03 Jun 2003 20:36:08 GMT
< Server: Apache
Server: Apache
< Cache-Control: no-cache
Cache-Control: no-cache
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
Expires: Thu, 01 Dec 1994 16:00:00 GMT
< Pragma: no-cache
Pragma: no-cache
< Connection: close
Connection: close
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
* Closing connection #0
The program is testet on Linux with GNU regexes that claim to be POSIX 2
compliant.
Torsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+3QbPwicyCTir8T4RApQjAKCfssGWfpSOyyyVnpuezBabTb/aFgCgq9ml
SbbojPMcUleoHSZDbUO/X/8=
=KBAR
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
- application/x-gzip attachment: curl.patch.gz