- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-

powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name field in the certficate it had to match and so even if non-DNS and non-IP entry was present it caused the verification to fail.
2009-09-16 20:44:18 +00:00 · 2009-09-16 20:44:18 +00:00 · 250ba99498
parent c2c3a46e3e
commit 250ba99498
3 changed files with 19 additions and 7 deletions
--- a/6
+++ b/6
@ -6,6 +6,12 @@

                                  Changelog

+Daniel Stenberg (16 Sep 2009)
+- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
+  powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
+  field in the certficate it had to match and so even if non-DNS and non-IP
+  entry was present it caused the verification to fail.
+
 Daniel Fandrich (15 Sep 2009)
 - Moved the libssh2 checks after the SSL library checks. This helps when
  statically linking since libssh2 needs the SSL library link flags to be
--- a/3
+++ b/3
@ -28,6 +28,7 @@ This release includes the following bugfixes:
 o configure uses pkg-config for cross-compiles as well
 o improved NSS detection in configure
 o cookie expiry date at 1970-jan-1 00:00:00
+ o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name

 This release includes the following known bugs:

@ -38,6 +39,6 @@ advice from friends like these:

 Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
 Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
- Claes Jakobsson
+ Claes Jakobsson, Sven Anders

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -1056,7 +1056,8 @@ cert_hostcheck(const char *match_pattern, const char *hostname)
 static CURLcode verifyhost(struct connectdata *conn,
                           X509 *server_cert)
 {
-  bool matched = FALSE; /* no alternative match yet */
+  int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
+                       means mismatch */
  int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
  size_t addrlen = 0;
  struct SessionHandle *data = conn->data;
@ -1093,7 +1094,7 @@ static CURLcode verifyhost(struct connectdata *conn,
    numalts = sk_GENERAL_NAME_num(altnames);

    /* loop through all alternatives while none has matched */
-    for (i=0; (i<numalts) && !matched; i++) {
+    for (i=0; (i<numalts) && (matched != 1); i++) {
      /* get a handle to alternative name number i */
      const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);

@ -1119,14 +1120,18 @@ static CURLcode verifyhost(struct connectdata *conn,
             /* if this isn't true, there was an embedded zero in the name
                string and we cannot match it. */
             cert_hostcheck(altptr, conn->host.name))
-            matched = TRUE;
+            matched = 1;
+          else
+            matched = 0;
          break;

        case GEN_IPADD: /* IP address comparison */
          /* compare alternative IP address if the data chunk is the same size
             our server IP address is */
          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
-            matched = TRUE;
+            matched = 1;
+          else
+            matched = 0;
          break;
        }
      }
@ -1134,10 +1139,10 @@ static CURLcode verifyhost(struct connectdata *conn,
    GENERAL_NAMES_free(altnames);
  }

-  if(matched)
+  if(matched == 1)
    /* an alternative name matched the server hostname */
    infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
-  else if(altnames) {
+  else if(matched == 0) {
    /* an alternative name field existed, but didn't match and then
       we MUST fail */
    infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);