Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[libcurl] certificate field get truncated #4837

Closed
bmfp opened this issue Jan 21, 2020 · 2 comments
Closed

[libcurl] certificate field get truncated #4837

bmfp opened this issue Jan 21, 2020 · 2 comments
Labels
TLS

Comments

@bmfp
Copy link

bmfp commented Jan 21, 2020

TL;DR
When using libcurl, at least "X509v3 Subject Alternative Name" field gets truncated after 512 characters, I didn't observe/test it on other fields

I did this

I expected the following

  • with certinfo.c, show all SAN items, but got :
X509v3 Subject Alternative Name:DNS:consent.oath.com,DNS:consent.yahoo.com,DNS:guce.verizonmedia.com,DNS:guce2.oath.com,DNS:guce.alephd.com,DNS:guce.aol.ca,DNS:guce.aol.co.uk,DNS:guce.huffingtonpost.co.uk,DNS:guce.huffingtonpost.co.za,DNS:guce.huffingtonpost.com.au,DNS:guce.huffingtonpost.com.mx,DNS:guce.huffingtonpost.de,DNS:guce.huffingtonpost.es,DNS:guce.huffingtonpost.fr,DNS:guce.huffingtonpost.gr,DNS:guce.huffingtonpost.in,DNS:guce.huffingtonpost.it,DNS:guce.huffingtonpost.jp,DNS:guce.huffingtonpost.kr,DNS:guce.huffpost.com,DNS:guce
  • with 2nd test, show that certificate is valid : this one is ok
    subjectAltName: host "guce.nexage.com" matched cert's "guce.nexage.com"

curl/libcurl version

ii  curl                                            7.58.0-2ubuntu3.8                                   amd64        command line tool for transferring data with URL syntax
ii  libcurl3-gnutls:amd64                           7.58.0-2ubuntu3.8                                   amd64        easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libcurl4:amd64                                  7.58.0-2ubuntu3.8                                   amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libcurl4-openssl-dev:amd64                      7.58.0-2ubuntu3.8                                   amd64        development files and documentation for libcurl (OpenSSL flavour)

[curl -V output]

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

uname -a
Linux r01 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
@bagder bagder added the TLS label Jan 22, 2020
@bagder
Copy link
Member

bagder commented Jan 22, 2020

Your -V shows your curl uses OpenSSL, so that list item libcurl3-gnutls:amd64 is probably not relevant here.

bagder added a commit that referenced this issue Jan 22, 2020
@bagder
openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
5e30b05 
Avoid "reparsing" the content and instead deliver more exactly what is
provided in the certificate and avoid truncating the data after 512
bytes as done previously. This no longer removes embedded newlines.

Fixes #4837
Reported-by: bnfp on github
@bagder bagder mentioned this issue Jan 22, 2020
Closed
@bmfp
Copy link
Author

bmfp commented Jan 22, 2020

@bagder you're right !
the versions were only extracted with dpkg -l | grep curl

@bagder bagder closed this as completed in 3ecdfb1 Jan 23, 2020
@lock lock bot locked as resolved and limited conversation to collaborators Apr 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: make CURLINFO_CERTINFO not truncate x509v3 fields curl/curl
2 participants
@bagder @bmfp