Re: curl command line option to ignore Subject validation

Thu, 17 Dec 2015 13:31:40 -0800

On 12/17/2015 3:01 AM, Gaurav Rastogi -X (garastog - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco) wrote: 

[root@ucbu-aricent-vm418 ~]# curl -V
curl 7.19.7 (i686-redhat-linux-gnu) libcurl/7.46.0 OpenSSL/1.0.1e zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 

Features: IPv6 Largefile NTLM SSL libz
*From:*curl-library [mailto:[email protected]] *On Behalf Of *Ray Satiro via curl-library 
*Sent:* Thursday, December 17, 2015 12:31 PM
*To:* [email protected]
*Subject:* Re: curl command line option to ignore Subject validation
On 12/17/2015 12:25 AM, Gaurav Rastogi -X (garastog - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco) wrote: 

Hi All,

I ve upgraded CURL from 7.30 to 7.46.

But here I’m facing one issue in one of the curl command line execution.

In version 7.30 below command works fine for me:
curl -s -k -m 10 -w "\n%{http_code}" http://localhost:8080/logo.gif <http://localhost:8080/logo.gif>
Whereas when I upgraded curl to 7.46 same command failed due to CN validation with below error: 

curl -vi -s -k -m 10 -w "\n%{http_code}" https://localhost:8443/logo.gif

*   Trying 127.0.0.1...

* Connected to localhost (127.0.0.1) port 8443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 

* successfully set certificate verify locations:

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* Server certificate:
* subject: C=IN; O=abc; OU=Aricent; CN=vm418.abc.com; ST=Haryana; L=Gurgaon 

*        start date: Dec 12 04:27:29 2015 GMT

*        expire date: Dec 10 04:27:28 2020 GMT
* *SSL: certificate subject name 'vm418.abc.com' does not match target host name 'localhost'* 

* Closing connection 0

* TLSv1.2 (OUT), TLS alert, Client hello (1):
Could you please provide me an option so that I can go ahead without CN validation? 

Also let me know in which version these changes are introduced.
I can't reproduce this. That error comes from the verifyhost function in openssl.c [1] but it's not called unless data->set.ssl.verifyhost is != 0. I've gone through the code and I just don't see how this could have happened unless maybe SSL support is for some reason missing from your libcurl version information? If -k and the curl tool doesn't find SSL support in libcurl [2] it won't set options to turn off verifypeer/host. What does curl -V show?
[1]: https://github.com/bagder/curl/blob/curl-7_46_0/lib/vtls/openssl.c#L2525-L2532 [2]: https://github.com/bagder/curl/blob/curl-7_46_0/src/tool_operate.c#L1027
Please don't top post you're making this thread harder to follow. curl 7.19.7 is 6+ years old and when you use such an old version of the tool with such a recent version of the library it's not farfetched that you could end up with unexpected results like what you are seeing. Some options or their values set by the 7.19.7 tool may be deprecated or removed from the latest version of the library. This is rare however I think this might be what's happening.
According to the code for curl tool v7.19.7 it sets CURLOPT_SSL_VERIFYHOST to 1 to disable host verification when -k [1]. But 1 is no longer acknowledged [2] as of 3 years ago (curl-7_28_1), and in the future will be the same as enabling host verification [3]. When 1 is set by the tool the library will return an error if the library is 7.28.1+. As noted this may change in the future.
At the moment I'm not able to build the 7.19.7 tool to confirm but my theory is that the earlier version of the tool does not abort on the error. More recent versions (starting when? don't know) of the curl tool should abort on this error. I would use a much later version of the tool, preferably the same as your library version 7.46. 


[1]: https://github.com/bagder/curl/blob/curl-7_19_7/src/main.c#L4775-L4779
[2]: https://github.com/bagder/curl/commit/da82f59
[3]: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html


-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
  • ... Gaurav Rastogi -X (garastog - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco)
    • ... Ray Satiro via curl-library
      • ... Gaurav Rastogi -X (garastog - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco)
        • ... Daniel Stenberg
        • ... Ray Satiro via curl-library
    • ... m brandenberg
    • ... Alex Bligh

Reply via email to