Commit e73fe837 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

- Peter Sylvester made the HTTPS test server use specific certificates for 

  each test, so that the test suite can now be used to actually test the
  verification of cert names etc. This made an error show up in the OpenSSL-
  specific code where it would attempt to match the CN field even if a
  subjectAltName exists that doesn't match. This is now fixed and verified
  in test 311.
parent a9caeb10

CHANGES

+7 −0
Original line number Diff line number Diff line
@@ -7,6 +7,13 @@ 
                                  Changelog



Daniel Stenberg (11 Aug 2009)

- Peter Sylvester made the HTTPS test server use specific certificates for

  each test, so that the test suite can now be used to actually test the

  verification of cert names etc. This made an error show up in the OpenSSL-

  specific code where it would attempt to match the CN field even if a

  subjectAltName exists that doesn't match. This is now fixed and verified

  in test 311.



- Benbuck Nason posted the bug report #2835196

  (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler

  warnings when mixing ints and bools.

RELEASE-NOTES

+2 −0
Original line number Diff line number Diff line
@@ -42,6 +42,8 @@ This release includes the following bugfixes: 
 o rand seeding on libcurl on windows built with OpenSSL was not thread-safe

 o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL

 o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)

 o libcurl+OpenSSL would wrongly acknowledge a cert if CN matched but

   subjectAltName didn't



This release includes the following known bugs:

lib/ssluse.c

+6 −0
Original line number Diff line number Diff line
@@ -1137,6 +1137,12 @@ static CURLcode verifyhost(struct connectdata *conn, 
  if(matched)

    /* an alternative name matched the server hostname */

    infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);

  else if(altnames) {

    /* an alternative name field existed, but didn't match and then

       we MUST fail */

    infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);

    res = CURLE_PEER_FAILED_VERIFICATION;

  }

  else {

    /* we have to look to the last occurence of a commonName in the

       distinguished one to get the most significant one. */

tests/Makefile.am

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ PDFPAGES = testcurl.pdf runtests.pdf 
EXTRA_DIST = ftpserver.pl httpserver.pl httpsserver.pl runtests.pl getpart.pm \

 FILEFORMAT README stunnel.pem memanalyze.pl testcurl.pl valgrind.pm ftp.pm   \

 sshserver.pl sshhelp.pm testcurl.1 runtests.1 $(HTMLPAGES) $(PDFPAGES) \

 CMakeLists.txt

 CMakeLists.txt certs/scripts/*.sh certs/Server* certs/EdelCurlRoot*



SUBDIRS = data server libtest

tests/certs/EdelCurlRoot-ca.cacert

0 → 100644
+85 −0
Original line number Diff line number Diff line 
Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            0b:5c:fb:79:f2:09

        Signature Algorithm: sha1WithRSAEncryption

        Issuer:

            countryName               = NN

            organizationName          = Edel Curl Arctic Illudium Research Cloud

            commonName                = Nothern Nowhere Trust Anchor

        Validity

            Not Before: Aug  4 15:06:44 2009 GMT

            Not After : Jan  7 15:06:44 2026 GMT

        Subject:

            countryName               = NN

            organizationName          = Edel Curl Arctic Illudium Research Cloud

            commonName                = Nothern Nowhere Trust Anchor

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:bd:b7:e7:70:4c:17:0d:0f:e6:a4:ed:81:0b:26:

                    a9:d2:16:f6:2a:9c:87:6d:8e:7e:e2:71:98:89:41:

                    97:d7:62:0b:c7:92:35:e5:09:0a:b4:67:06:59:c5:

                    3b:2f:ae:6c:ff:68:6c:af:46:a3:1f:7e:32:5a:08:

                    c4:6e:65:5c:c2:9f:99:11:4e:28:dc:37:98:d0:ab:

                    66:13:35:c6:bd:3c:6f:65:e2:5d:c2:59:21:80:68:

                    c0:85:eb:7e:a2:58:99:04:45:c3:f7:4c:39:83:fa:

                    5c:6e:6a:a0:ff:45:b7:2f:7a:bb:bb:7f:3d:2b:cb:

                    57:5f:09:24:c5:77:96:5d:1b:56:56:9a:48:51:0a:

                    f5:67:0f:67:8d:0d:82:c7:84:bf:b5:c5:f8:cd:71:

                    2f:92:cb:e8:94:96:28:04:3a:c2:2c:38:e4:9e:3c:

                    1b:89:9f:70:b6:02:b6:97:5e:2e:c1:5a:a7:af:86:

                    c2:b7:65:dc:83:8d:e7:85:72:a7:d1:f0:ba:ea:11:

                    dc:bd:7c:b5:68:89:82:15:2b:b5:91:f0:70:f5:fa:

                    e4:8c:21:fe:e7:8f:a3:16:5d:ee:a8:ff:a8:0e:22:

                    1f:3e:27:25:f5:f1:a0:55:16:f7:c2:02:79:fb:c9:

                    ac:fd:d1:ca:6e:65:3e:97:cf:f0:df:c9:b9:c4:0a:

                    87:c1

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Subject Key Identifier: 

                12:6B:24:D2:4A:68:B7:A1:B0:1C:CD:BF:D6:4C:CC:40:5B:7F:E0:40

    Signature Algorithm: sha1WithRSAEncryption

        66:1e:56:86:7d:87:99:f9:9a:d9:fb:fe:9c:bf:9e:d9:90:07:

        da:9a:33:0f:72:6b:44:00:df:85:f0:ff:ed:c5:06:1c:1c:ff:

        4e:94:7d:6f:6c:7e:82:1a:82:bc:fe:ac:02:c5:1d:d0:1f:a8:

        e3:2d:a2:8d:43:8e:73:8a:b0:a4:da:0b:1d:7e:1c:e9:35:93:

        29:6d:05:9f:6d:6c:0e:09:ee:9c:1a:15:fe:8a:5e:19:d8:da:

        a0:6b:2a:d5:1d:fa:0c:af:63:55:41:42:ec:dd:3c:b0:6e:1f:

        66:67:c5:28:fd:23:1b:a6:42:98:49:f5:33:58:7b:5a:91:c7:

        9c:66:1f:53:cc:8b:79:11:a9:fa:a3:b8:5e:e1:d1:12:97:ec:

        5e:4d:c9:77:4c:03:0c:e8:80:33:57:da:d4:ce:af:c5:1b:f5:

        96:47:d4:68:da:83:3c:45:ee:84:b4:82:94:cd:65:2c:41:f1:

        45:3d:19:9b:da:7a:54:04:e4:39:b1:b5:2a:15:29:b8:99:6d:

        30:73:12:bc:7d:e3:79:f2:12:aa:e1:d7:d1:83:c4:bb:0c:bb:

        a1:36:37:84:38:de:7c:3a:d7:c8:4f:6b:d9:cb:80:2b:29:27:

        bd:c3:de:a5:2a:11:6d:b6:09:59:e6:d7:49:ae:52:89:28:3b:

        af:f0:bd:86

-----BEGIN CERTIFICATE-----

MIIDkDCCAnigAwIBAgIGC1z7efIJMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYT

Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo

IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X

DTA5MDgwNDE1MDY0NFoXDTI2MDEwNzE1MDY0NFowZzELMAkGA1UEBhMCTk4xMTAv

BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx

JTAjBgNVBAMMHE5vdGhlcm4gTm93aGVyZSBUcnVzdCBBbmNob3IwggEiMA0GCSqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9t+dwTBcND+ak7YELJqnSFvYqnIdtjn7i

cZiJQZfXYgvHkjXlCQq0ZwZZxTsvrmz/aGyvRqMffjJaCMRuZVzCn5kRTijcN5jQ

q2YTNca9PG9l4l3CWSGAaMCF636iWJkERcP3TDmD+lxuaqD/Rbcveru7fz0ry1df

CSTFd5ZdG1ZWmkhRCvVnD2eNDYLHhL+1xfjNcS+Sy+iUligEOsIsOOSePBuJn3C2

AraXXi7BWqevhsK3ZdyDjeeFcqfR8LrqEdy9fLVoiYIVK7WR8HD1+uSMIf7nj6MW

Xe6o/6gOIh8+JyX18aBVFvfCAnn7yaz90cpuZT6Xz/DfybnECofBAgMBAAGjQjBA

MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQSayTS

Smi3obAczb/WTMxAW3/gQDANBgkqhkiG9w0BAQUFAAOCAQEAZh5Whn2Hmfma2fv+

nL+e2ZAH2pozD3JrRADfhfD/7cUGHBz/TpR9b2x+ghqCvP6sAsUd0B+o4y2ijUOO

c4qwpNoLHX4c6TWTKW0Fn21sDgnunBoV/opeGdjaoGsq1R36DK9jVUFC7N08sG4f

ZmfFKP0jG6ZCmEn1M1h7WpHHnGYfU8yLeRGp+qO4XuHREpfsXk3Jd0wDDOiAM1fa

1M6vxRv1lkfUaNqDPEXuhLSClM1lLEHxRT0Zm9p6VATkObG1KhUpuJltMHMSvH3j

efISquHX0YPEuwy7oTY3hDjefDrXyE9r2cuAKyknvcPepSoRbbYJWebXSa5SiSg7

r/C9hg==

-----END CERTIFICATE-----