Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl not verifying proxy url against IP address present in subject alternate name

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 29 Nov 2017 16:27:34 -0500

On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS). 
> While establishing SSL connection with the proxy, the certificate
> shared by proxy has both CN and SAN entries as below -
>
> Subject: C=IN, ST=KA, L=BGL, O=xxxx, OU=x, *CN=host.cust1.com <http://host.cust1.com>*/emailAddress=email@domain.com <mailto:email@domain.com>
> X509v3 Subject Alternative Name:
> DNS:host.cust1.com <http://host.cust1.com>, *DNS:172.73.74.75*, DNS:securepr.cust1.com <http://secureprofile.cust1.com>
> In my code when I use proxy's FQDN(host.cust1.com
> <http://host.cust1.com>) as the proxy URL to access then the ssl
> verification works fine but when I try using the IP Address I get
> below error -
>
> "SSL: no alternative certificate subject name matches target host name
> '172.73.74.75'"
>
> Should not libcurl verify the proxy URL against all the subject
> alternate names present in the received certificate or am I missing
> something here?
> Software versions used - PycURL/7.43.0 libcurl/7.56.1

In my opinion, no.

Is the PycURL string supposed to include the libcurl version string?
What SSL library is libcurl using? It should have shown you the SSL
library in the version information. I will assume OpenSSL for this reply.

libcurl w/ OpenSSL will only use iPAddress altname field for IP
addresses and dNSName altname field for host names [1]. There's some
anecdotal evidence of clients that accept IP address in dNSName [2]. I
believe those clients are wrong. The original RFC 2818 is unambiguous [3]:

   In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.

[1]: https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/openssl.c#L1389
[2]: https://security.stackexchange.com/a/160809
[3]: https://tools.ietf.org/html/rfc2818#page-5

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-29