On 01/11/2016 17:42, Viktor Dukhovni wrote:
On Tue, Nov 01, 2016 at 04:28:18PM +0100, Sebastian Kloska wrote:
[ Redirecting to openssl-users. ]
(I cannot see the original posts, as I am only subscribed
to -users).
We have problems authenticating a a CERT while LC_CTYPE is set to
tr_TR.UTF-8
The issue is triggered in libcurl but it seems to come out of libssl. It
seems to be
Note that the Turkish UNICODE locales have the unusual property
that the uppercase/lowercase routines do not match ASCII "I" to
ASCII "i", to cater to the distinguishing between "dotted" and
"dotless" letter I in Turkish natural language. It is the only
known locales to case map an ASCII character differently than the
basic ASCII algorithm presumed by the standard for Internet host
names.
So something, in either OpenSSL or curl (or a combination) may
(on the OPs system) be using a locale-sensitive function to
compare e.g. "hotmail.com" and "HOTMAIL.COM", where some kind
of locale-neutral function should be used to avoid the special
handling that the Unicode standard specifies for the letter "I"
in Turkish.
I see nothing in the OpenSSL X.509 stack that would be sensitive
to this locale. In particular, with OpenSSL >= 1.0.2 doing the
hostname check, both:
LANG=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl
s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname
www.hotmail.com
and
LC_CTYPE=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl
s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname
www.hotmail.com
return success. OpenSSL 1.0.1 and earlier do not do hostname
checks, that's left to the application. With 1.0.1 the chain alone
verifies just fine:
$ LC_CTYPE=tr_TR.UTF-8 /.../OpenSSL_1_0_1/bin/openssl s_client -connect
www.hotmail.com:443 -CAfile /tmp/bundle.pem
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary
Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN
= Symantec Class 3 EV SSL CA - G3
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =
Washington, businessCategory = Private Organization, serialNumber = 600413485,
C = US, postalCode = 98052, ST = Washington, L = Redmond, street = 1 Microsoft
Way, O = Microsoft Corporation, OU = Outlook Kahuna BAY-A Jun2015, CN =
mail.live.com
verify return:1
---
Certificate chain
0
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private
Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1
Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A
Jun2015/CN=mail.live.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private
Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1
Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A
Jun2015/CN=mail.live.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 5342 bytes and written 511 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1478018209
Timeout : 300 (sec)
Verify return code: 0 (ok)
So it seems that any problem lies with libcurl.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
