curl / Mailing Lists / curl-library / Single Mail


Re: libcurl not verifying proxy url against IP address present in subject alternate name

From: Ray Satiro via curl-library <>
Date: Wed, 29 Nov 2017 16:27:34 -0500

On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS). 
> While establishing SSL connection with the proxy, the certificate
> shared by proxy has both CN and SAN entries as below -
> Subject: C=IN, ST=KA, L=BGL, O=xxxx, OU=x, * <>*/ <>
> X509v3 Subject Alternative Name:
> <>, *DNS:*, <>
> In my code when I use proxy's FQDN(
> <>) as the proxy URL to access then the ssl
> verification works fine but when I try using the IP Address I get
> below error -
> "SSL: no alternative certificate subject name matches target host name
> ''"
> Should not libcurl verify the proxy URL against all the subject
> alternate names present in the received certificate or am I missing
> something here?
> Software versions used - PycURL/7.43.0 libcurl/7.56.1

In my opinion, no.

Is the PycURL string supposed to include the libcurl version string?
What SSL library is libcurl using? It should have shown you the SSL
library in the version information. I will assume OpenSSL for this reply.

libcurl w/ OpenSSL will only use iPAddress altname field for IP
addresses and dNSName altname field for host names [1]. There's some
anecdotal evidence of clients that accept IP address in dNSName [2]. I
believe those clients are wrong. The original RFC 2818 is unambiguous [3]:

   In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.


Received on 2017-11-29