Peter Sylvester schrieb: >> I think the check should only fail, if it did not matched an *URI* >> field with >> the same hostname. Additional fields (with other types) should be >> ignored. > Its a *DNS* field, not URI, but basically it seems to me that > you are right. RFC 2818 says in detail: > > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead. > ... > > In some cases, the URI is specified as an IP address rather than a > hostname. In this case, the iPAddress subjectAltName must be present > in the certificate and must exactly match the IP in the URI. > > So we have at least the 3 cases defined situations: > > hostname is IP address ==> must have IP altname > hostname is dns & altname dns, it must match > hostname is dns & not altname dns, "last" common name must match. > I tried to fix it and attached a patch for this.
I know, that my certificate is not the best and I have to renew it anyway, but I think the current used one should work too. Or is there a rule/RFC that forces the creation of an subjectAltName-dNSName field? Regards Sven -- Sven Anders <[email protected]> () Ascii Ribbon Campaign /\ Support plain text e-mail ANDURAS service solutions AG Innstraße 71 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032 Mitglieder des Vorstands: Sven Anders, Marcus Junker Vorsitzender des Aufsichtsrats: Mark Peters
--- curl-7.19.6/lib/ssluse.c.orig 2009-09-15 11:10:48.000000000 +0200
+++ curl-7.19.6/lib/ssluse.c 2009-09-15 11:41:10.000000000 +0200
@@ -1057,6 +1057,7 @@ static CURLcode verifyhost(struct connec
X509 *server_cert)
{
bool matched = FALSE; /* no alternative match yet */
+ bool dnsipaltname = FALSE; /* did we found an DNS or IP altname? */
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
struct SessionHandle *data = conn->data;
@@ -1105,6 +1106,7 @@ static CURLcode verifyhost(struct connec
switch(target) {
case GEN_DNS: /* name/pattern comparison */
+ dnsipaltname = TRUE;
/* The OpenSSL man page explicitly says: "In general it cannot be
assumed that the data returned by ASN1_STRING_data() is null
terminated or does not contain embedded nulls." But also that
@@ -1123,6 +1125,7 @@ static CURLcode verifyhost(struct connec
break;
case GEN_IPADD: /* IP address comparison */
+ dnsipaltname = TRUE;
/* compare alternative IP address if the data chunk is the same size
our server IP address is */
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
@@ -1137,8 +1140,8 @@ static CURLcode verifyhost(struct connec
if(matched)
/* an alternative name matched the server hostname */
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
- else if(altnames) {
- /* an alternative name field existed, but didn't match and then
+ else if(dnsipaltname) {
+ /* an alternative name DNS or IP field existed, but didn't match and then
we MUST fail */
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
res = CURLE_PEER_FAILED_VERIFICATION;
<<attachment: anders.vcf>>
signature.asc
Description: OpenPGP digital signature
