cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Changed logic in verifyhost()

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 24 May 2016 10:06:10 +0200 (CEST)

On Tue, 24 May 2016, Erland Costyson wrote:

> Yes, it used to work. But did it work because the code didn't work as
> intended or was a bug introduced in the change if RFC2818 should be follow
> as the comment over the function suggests?

I went back and reread the spec, and I think what I stated before was not
entirely matched in the spec. RFC 2818 section 3.1 says:

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity

The *of type dNSName* part wasn't included in my previous claim. I assume in
your case you don't have any dNSName but only iPAddress so that statement
doesn't apply to you.

However, the following section does:

   In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.

If you have A) an URL specified as IP address B) subjectAltName in cert but no
match for any IPAddress then it isn't a match. Only if you don't have an
subjectAltName field at all it should check the Common Name field for a match:

   Although the use of the Common Name is existing practice, it is deprecated

(deprecated already in the spec from the year 2000)

I guess that was a long way to say that I believe the current logic is spec
compliant.

You agree or disagree?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-24