Re: libcurl not verifying proxy url against IP address present in subject alternate name
Date: Wed, 29 Nov 2017 16:27:34 -0500
On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS).
> While establishing SSL connection with the proxy, the certificate
> shared by proxy has both CN and SAN entries as below -
> Subject: C=IN, ST=KA, L=BGL, O=xxxx, OU=x, *CN=host.cust1.com <http://host.cust1.com>*/emailAddressfirstname.lastname@example.org <mailto:email@example.com>
> X509v3 Subject Alternative Name:
> DNS:host.cust1.com <http://host.cust1.com>, *DNS:18.104.22.168*, DNS:securepr.cust1.com <http://secureprofile.cust1.com>
> In my code when I use proxy's FQDN(host.cust1.com
> <http://host.cust1.com>) as the proxy URL to access then the ssl
> verification works fine but when I try using the IP Address I get
> below error -
> "SSL: no alternative certificate subject name matches target host name
> Should not libcurl verify the proxy URL against all the subject
> alternate names present in the received certificate or am I missing
> something here?
> Software versions used - PycURL/7.43.0 libcurl/7.56.1
In my opinion, no.
Is the PycURL string supposed to include the libcurl version string?
What SSL library is libcurl using? It should have shown you the SSL
library in the version information. I will assume OpenSSL for this reply.
libcurl w/ OpenSSL will only use iPAddress altname field for IP
addresses and dNSName altname field for host names . There's some
anecdotal evidence of clients that accept IP address in dNSName . I
believe those clients are wrong. The original RFC 2818 is unambiguous :
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
Received on 2017-11-29