Re: subjectAltName does not match - Wrong test?!

Tue, 15 Sep 2009 05:13:02 -0700 

On Tue, 15 Sep 2009, Sven Anders wrote:


Or am I wrong? That subjectAltName field with an email address looks
funny to me.



Yes and No. An DNS or IP entry should match, but I can have other entries 
(like email, RID, URI, otherName,...) too. These should not considered when 
trying to match.



Ah, it wasn't clear to be from that output that the particular field was not a 
DNS field.


How about the attached patch, does it make your certficiate work fine again?

--

 / daniel.haxx.se
Index: lib/ssluse.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/ssluse.c,v
retrieving revision 1.238
diff -u -r1.238 ssluse.c
--- lib/ssluse.c	29 Aug 2009 04:34:44 -0000	1.238
+++ lib/ssluse.c	15 Sep 2009 12:01:25 -0000
@@ -1056,7 +1056,8 @@
 static CURLcode verifyhost(struct connectdata *conn,
                            X509 *server_cert)
 {
-  bool matched = FALSE; /* no alternative match yet */
+  int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
+                       means mismatch */
   int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
   size_t addrlen = 0;
   struct SessionHandle *data = conn->data;
@@ -1093,7 +1094,7 @@
     numalts = sk_GENERAL_NAME_num(altnames);
 
     /* loop through all alternatives while none has matched */
-    for (i=0; (i<numalts) && !matched; i++) {
+    for (i=0; (i<numalts) && (matched != 1); i++) {
       /* get a handle to alternative name number i */
       const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
 
@@ -1119,7 +1120,9 @@
              /* if this isn't true, there was an embedded zero in the name
                 string and we cannot match it. */
              cert_hostcheck(altptr, conn->host.name))
-            matched = TRUE;
+            matched = 1;
+          else
+            matched = 0;
           break;
 
         case GEN_IPADD: /* IP address comparison */
@@ -1127,6 +1130,8 @@
              our server IP address is */
           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
             matched = TRUE;
+          else
+            matched = 0;
           break;
         }
       }
@@ -1134,10 +1139,10 @@
     GENERAL_NAMES_free(altnames);
   }
 
-  if(matched)
+  if(matched == 1)
     /* an alternative name matched the server hostname */
     infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
-  else if(altnames) {
+  else if(matched == 0) {
     /* an alternative name field existed, but didn't match and then
        we MUST fail */
     infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);






















					Reply via email to