Fetching the detail of SSL Host verification failure
Date: Tue, 23 Oct 2018 17:52:47 +0000
Hi libcurl guys,
We have an issue when libcurl fails verification on HTTPS communication. Here's the situation:
1. OpenSSL verify certificate successfully.
2. In vtls/openssl.c: verifyhost() returns error because the verification of the hostname fails.
3. All verification errors are CURLE_PEER_FAILED_VERIFICATION (51).
4. Actually there're four cases:
a. no alternative certificate subject name matches target host name '%s'
b. illegal cert name field
c. unable to obtain common name from peer certificate
d. certificate subject name '%s' does not match target host name '%s'
We need to distinguish these four cases from CURLE_PEER_FAILED_VERIFICATION.
So we want to fix this by extending the api. There are three options we can take and want to hear your opinion.
1) Simply defines new CURLE codes for each four cases and return them.
This is the simple solution, but it will return different error code for existing application.
2) Add new option to return new error code.
Define new option such as CURLOPT_SSL_VERIFYHOST_EXTENDED_RESULT to change the error code.
This protects the existing application and safely extends the api.
3) Define new value to CURLOPT_SSL_VERIFYHOST.
Currently 0 or 2 is set for CURLOPT_SSL_VERIFYHOST for this option. Then define new value 3 to return extended result code.
4) Use CURLINFO_SSL_VERIFYRESULT.
Because OpenSSL returns no validation error, the field for this verify result is available in the situation.
When verifyhost() fails, return code is unchanged from CURLE_PEER_FAILED_VERIFICATION and put newly defined error code into data->set.ssl. certverifyresult which is available by curl_easy_getinfo with CURLINFO_SSL_VERIFYRESULT. This doesn't break existing application.
We are ready to send a PR for solution 4, but before sending this, we want to hear the voice of community.
Received on 2018-10-23