Hello, I've noticed that cURL changed behavior in 7.29 regarding axTLS support. Before it was ignoring invalid certificates as requested, but in 7.29 it gives "subjectAltName(s) do not match %s" error and ignores curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
I've traced it to this commit: https://github.com/bagder/curl/commit/1394cad30fcac7eb21adb9158dfcfab10e9f53d4 and it says "honoring the VERIFYHOST setting" but apparently it's not. RFC 2818 says " If a subjectAltName extension of type dNSName is present, that MUST be used as the identity." and " If the hostname does not match the identity in the certificate, user oriented clients MUST either notify the user (clients MAY give the user the opportunity to continue with the connection in any case) or terminate the connection with a bad certificate error." I was under impression that VERIFYHOST == 0 should let host with invalid certificate to pass checks, but this is only implemented during Common Name (if present) check. Patch that fixes this is listed below. Any ideas? --- >From 8153cb9065a1e30fe824d95930648850151405f4 Mon Sep 17 00:00:00 2001 From: Aleksey Tulinov <[email protected]> Date: Fri, 7 Jun 2013 16:54:26 +0300 Subject: [PATCH] axtls.c: honoring VERIFYHOST option --- lib/axtls.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/lib/axtls.c b/lib/axtls.c index 59c8a83..9e2f3cd 100644 --- a/lib/axtls.c +++ b/lib/axtls.c @@ -342,21 +342,29 @@ Curl_axtls_connect(struct connectdata *conn, /* RFC2818 checks */ if(found_subject_alt_names && !found_subject_alt_name_matching_conn) { /* Break connection ! */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); } else if(found_subject_alt_names == 0) { /* Per RFC2818, when no Subject Alt Names were available, examine the peer CN as a legacy fallback */ peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); if(peer_CN == NULL) { - /* Similar behaviour to the OpenSSL interface */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "unable to obtain common name from peer certificate"); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + /* Similar behaviour to the OpenSSL interface */ + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "unable to obtain common name from peer certificate"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "unable to obtain common name from peer certificate"); } else { if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) { -- 1.7.9.5 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
