Bugs item #3014205, was opened at 2010-06-10 08:18
Message generated for change (Comment added) made by kidmiracleman
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3014205&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: https
Group: bad behaviour
Status: Open
Resolution: Invalid
Priority: 5
Private: No
Submitted By: Karl Gallagher (kidmiracleman)
Assigned to: Daniel Stenberg (bagder)
Summary: Not possible to redirect a https url

Initial Comment:
curl version: 7.20.1
OS version: STLinux
Processor: SH4

When I try to connect to a host that would normally redirect to different url using a https:// CONNECT. I never get redirected because SSL authentication fails.
See debug log:
None: * About to connect() to proxy 192.168.250.6 port 800 (#0)
None: * Trying 192.168.250.6... * Establish HTTP proxy tunnel to www.gmail.com:443
None: > CONNECT www.gmail.com:443 HTTP/1.1
None: Host: www.gmail.com:443
None: Proxy-Connection: Keep-Alive
None: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/525.1+ (KHTML, like Gecko, Safari/525.1+)
None: Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
None:
None: < HTTP/1.0 200 Connection established
None: <
None: * Proxy replied OK to CONNECT request
None: * successfully set certificate verify locations:
None: * CAfile: /etc/cert/trusted.pem
None: CApath: none
None: * Expire cleared
None: * SSL connection using RC4-SHA
None: * Server certificate:
None: * subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=mail.google.com
None: * start date: 2009-12-18 00:00:00 GMT
None: * expire date: 2011-12-18 23:59:59 GMT
None: * SSL: certificate subject name 'mail.google.com' does not match target host name 'www.gmail.com'
None: * Closing connection #0

When I try to establish a connection to https://www.gmail.com it redirects OK and SSL authentication is successful...
Is this a bug in curl? or simply a limitation in the https protocol?

Note: I am connecting via a proxy here, but I have also verified that the same issue manifests without the proxy in place.

----------------------------------------------------------------------

>Comment By: Karl Gallagher (kidmiracleman)
Date: 2010-06-11 09:52

Message:
Ok,
Thanks for the info badger. I had assumed that this behaviour in curl was
valid. I will probably have to add some sort of exception list in the
application.

You can close this bug.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2010-06-10 22:31

Message:
If the certificate provided by the server is invalid, then curl will not go
through the SSL handshake. The log you provided seems to indicate that the
server name and the certificate have different opinions about what name it
is for, and thus curl rejects it. It does look like a bad certificate and
then curl does the right thing.

curl offers options that makes it skip this check, but that is considered
insecure.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3014205&group_id=976
Received on 2010-06-11