On Tue, Nov 01, 2016 at 04:28:18PM +0100, Sebastian Kloska wrote:
[ Redirecting to openssl-users. ]
> We have problems authenticating a a CERT while LC_CTYPE is set to
> tr_TR.UTF-8
>
> The issue is triggered in libcurl but it seems to come out of libssl. It
> seems to be
I see nothing in the OpenSSL X.509 stack that would be sensitive
to this locale. In particular, with OpenSSL >= 1.0.2 doing the
hostname check, both:
LANG=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl
s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname
www.hotmail.com
and
LC_CTYPE=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl
s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname
www.hotmail.com
return success. OpenSSL 1.0.1 and earlier do not do hostname
checks, that's left to the application. With 1.0.1 the chain alone
verifies just fine:
$ LC_CTYPE=tr_TR.UTF-8 /.../OpenSSL_1_0_1/bin/openssl s_client -connect
www.hotmail.com:443 -CAfile /tmp/bundle.pem
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
Symantec Class 3 EV SSL CA - G3
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =
Washington, businessCategory = Private Organization, serialNumber = 600413485,
C = US, postalCode = 98052, ST = Washington, L = Redmond, street = 1 Microsoft
Way, O = Microsoft Corporation, OU = Outlook Kahuna BAY-A Jun2015, CN =
mail.live.com
verify return:1
---
Certificate chain
0
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private
Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1
Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A
Jun2015/CN=mail.live.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification
Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private
Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1
Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A
Jun2015/CN=mail.live.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 5342 bytes and written 511 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1478018209
Timeout : 300 (sec)
Verify return code: 0 (ok)
So it seems that any problem lies with libcurl.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
