[root@ucbu-aricent-vm418 ~]# curl -V curl 7.19.7 (i686-redhat-linux-gnu) libcurl/7.46.0 OpenSSL/1.0.1e zlib/1.2.3 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: IPv6 Largefile NTLM SSL libz
From: curl-library [mailto:[email protected]] On Behalf Of Ray Satiro via curl-library Sent: Thursday, December 17, 2015 12:31 PM To: [email protected] Subject: Re: curl command line option to ignore Subject validation On 12/17/2015 12:25 AM, Gaurav Rastogi -X (garastog - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco) wrote: Hi All, I ve upgraded CURL from 7.30 to 7.46. But here I’m facing one issue in one of the curl command line execution. In version 7.30 below command works fine for me: curl -s -k -m 10 -w "\n%{http_code}" http://localhost:8080/logo.gif Whereas when I upgraded curl to 7.46 same command failed due to CN validation with below error: curl -vi -s -k -m 10 -w "\n%{http_code}" https://localhost:8443/logo.gif * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8443 (#0) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * Server certificate: * subject: C=IN; O=abc; OU=Aricent; CN=vm418.abc.com; ST=Haryana; L=Gurgaon * start date: Dec 12 04:27:29 2015 GMT * expire date: Dec 10 04:27:28 2020 GMT * SSL: certificate subject name 'vm418.abc.com' does not match target host name 'localhost' * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): Could you please provide me an option so that I can go ahead without CN validation? Also let me know in which version these changes are introduced. I can't reproduce this. That error comes from the verifyhost function in openssl.c [1] but it's not called unless data->set.ssl.verifyhost is != 0. I've gone through the code and I just don't see how this could have happened unless maybe SSL support is for some reason missing from your libcurl version information? If -k and the curl tool doesn't find SSL support in libcurl [2] it won't set options to turn off verifypeer/host. What does curl -V show? [1]: https://github.com/bagder/curl/blob/curl-7_46_0/lib/vtls/openssl.c#L2525-L2532 [2]: https://github.com/bagder/curl/blob/curl-7_46_0/src/tool_operate.c#L1027
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
