Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: curl (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2028188
Title:
Wildcard certificate broken after 7.81.0-1ubuntu1.11 / CVE-2023-28321
Status in curl package in Ubuntu:
Confirmed
Bug description:
On jammy, after upgrading curl:
Preparing to unpack .../curl_7.81.0-1ubuntu1.11_amd64.deb ...
Unpacking curl (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
Preparing to unpack .../libcurl4_7.81.0-1ubuntu1.11_amd64.deb ...
Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
Preparing to unpack .../libcurl3-gnutls_7.81.0-1ubuntu1.11_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) over
(7.81.0-1ubuntu1.10) ...
Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) ...
Setting up libcurl4:amd64 (7.81.0-1ubuntu1.11) ...
Setting up curl (7.81.0-1ubuntu1.11) ...
Now my site with a CA wildcard cert fails:
"
# curl https://xxx.yyy.zzz/
curl: (60) SSL: no alternative certificate subject name matches target host
name 'xxx.yyy.zzz'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
"
The site has a wildcard certificate for *.yyy.zzz
This worked before the upgrade to .11, if I downgrade to .10, then it works
again.
The error message looks like it expects to find the appropriate wildcard in
the SubjectAltName.
From openssl x509, the server's subjects are:
Validity
Not Before: Feb 27 00:00:00 2023 GMT
Not After : Feb 27 23:59:59 2024 GMT
Subject: CN = *.yyy.zzz
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.yyy.zzz, DNS:yyy.zz
The site should be matched by both the Subject wildcard, and the first
Subject Alt Name wildcard.
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
# apt-cache policy curl
curl:
Installed: 7.81.0-1ubuntu1.11
Candidate: 7.81.0-1ubuntu1.11
Version table:
*** 7.81.0-1ubuntu1.11 500
500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu
jammy-security/main amd64 Packages
500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu
jammy-updates/main amd64 Packages
100 /var/lib/dpkg/status
7.81.0-1 500
500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu
jammy/main amd64 Packages
What you expected to happen:
Successful TLS connection to Apache
What happened instead:
Failed TLS connection with error:
curl: (60) SSL: no alternative certificate subject name matches target host
name 'xxx.yyy.zzz'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028188/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
