cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: subject Alternative field check in server certificate

From: Oscar Koeroo <okoeroo_at_nikhef.nl>
Date: Wed, 26 Dec 2012 22:11:23 +0100

On 26-12-12 17:19, Indtiny s wrote:
> I verified the certificate with openssl command line tool , in that I
> could see the subject filed is NULL and the SubjAltNames is present .
>
> This is valid as per the As per [RFC 5280], �If subject naming information
> is present only in the subjectAltName extension
> (e.g., a key bound only to an email address or URI), then the subject name
> MUST be an empty sequence and the subjectAltName extension MUST be critical .
>
> When I tried to understand the curl code for this problem Curl is calling
> �X509_get_subject_name� for retrieving �SubjectName�, if �SubjectName� field
> is empty, the curl is throwing �SSL: couldn't get X509-subject!� error
> instead of checking for �SubjectAlternativeName extension�. ..
>
> Is it really curl is missing to check the SubjectAlternativeName ..? if curl
> support this then how to enable the curl for checking the Subject
> Alternative name ?
>
> Rgds
> Indra

Hi,

I believe the RFC5280 is misinterpreted on this point and you probably meant
to point to RFC2818 with regards to the Subject Alt Name checks itself.
However, with respect to RFC5280; if there is no naming available at all,
then the Subject Name must be an empty sequence. This is to say, if you have
no motivation what so ever to follow a naming scheme of a CA.

Not having/implementing/using a Subject Name (of Subject DN) is against a
(strong) recommendation of CAB/Forum.

On the practical note I suspect more tools to cast an error on this
certificate construction. Also different SSL backends of libcurl might also
cast warnings or errors from the SSL stack itself.

What CA did you use? Was it a commercial CA?

I've considered to remove this check in the assumption Subject Alt Names are
present, but declined on a matter of best practices to always have a Subject
Name, even when not used in an RFC2818 check.

Oscar

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on 2012-12-26

This message: [ Message body ]
Next message: Nick Zitzmann: "Patch to fix disabling peer verification in darwinssl under Snow Leopard and Lion"
Previous message: Daniel Stenberg: "Re: release planning"
In reply to: Indtiny s: "subject Alternative field check in server certificate"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]