Re: libcurl not verifying proxy url against IP address present in subject alternate name

Wed, 29 Nov 2017 13:31:58 -0800 

On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS). 
> While establishing SSL connection with the proxy, the certificate
> shared by proxy has both CN and SAN entries as below -
>
> Subject: C=IN, ST=KA, L=BGL, O=xxxx, OU=x, *CN=host.cust1.com 
> <http://host.cust1.com>*/[email protected] 
> <mailto:[email protected]>
> X509v3 Subject Alternative Name: 
>                 DNS:host.cust1.com <http://host.cust1.com>, 
> *DNS:172.73.74.75*, DNS:securepr.cust1.com <http://secureprofile.cust1.com>
> In my code when I use proxy's FQDN(host.cust1.com
> <http://host.cust1.com>) as the proxy URL to access then the ssl
> verification works fine but when I try using the IP Address I get
> below error -
>
> "SSL: no alternative certificate subject name matches target host name
> '172.73.74.75'"
>
> Should not libcurl verify the proxy URL against all the subject
> alternate names present in the received certificate or am I missing
> something here?
> Software versions used - PycURL/7.43.0 libcurl/7.56.1

In my opinion, no.

Is the PycURL string supposed to include the libcurl version string?
What SSL library is libcurl using? It should have shown you the SSL
library in the version information. I will assume OpenSSL for this reply.

libcurl w/ OpenSSL will only use iPAddress altname field for IP
addresses and dNSName altname field for host names [1]. There's some
anecdotal evidence of clients that accept IP address in dNSName [2]. I
believe those clients are wrong. The original RFC 2818 is unambiguous [3]:

   In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.


[1]: https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/openssl.c#L1389
[2]: https://security.stackexchange.com/a/160809
[3]: https://tools.ietf.org/html/rfc2818#page-5


-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to