[Bug 1258366] Re: curl -k breaks for some certificates after USN-2048-1

Fri Dec 6 12:33:06 UTC 2013

** Bug watch added: Debian Bug tracker #729965
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729965

** Also affects: curl (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729965
   Importance: Unknown
       Status: Unknown

** Also affects: curl (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: curl (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: curl (Ubuntu Quantal)
   Importance: Undecided
       Status: New

** Also affects: curl (Ubuntu Raring)
   Importance: Undecided
       Status: New

** Also affects: curl (Ubuntu Saucy)
   Importance: Undecided
       Status: New

** Changed in: curl (Ubuntu Raring)
       Status: New => Invalid

** Changed in: curl (Ubuntu Saucy)
       Status: New => Invalid

** Changed in: curl (Ubuntu)
       Status: Confirmed => Invalid

** Changed in: curl (Ubuntu Lucid)
       Status: New => Confirmed

** Changed in: curl (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: curl (Ubuntu Quantal)
       Status: New => Confirmed

** Changed in: curl (Ubuntu Lucid)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: curl (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: curl (Ubuntu Quantal)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1258366

Title:
  curl -k breaks for some certificates after USN-2048-1

Status in “curl” package in Ubuntu:
  Invalid
Status in “curl” source package in Lucid:
  Confirmed
Status in “curl” source package in Precise:
  Confirmed
Status in “curl” source package in Quantal:
  Confirmed
Status in “curl” source package in Raring:
  Invalid
Status in “curl” source package in Saucy:
  Invalid
Status in “curl” package in Debian:
  Unknown

Bug description:
  The bug:

  $ curl -sS -v -k https://jenkins.musta.ch//job/monorail_build_flow/4940/api/json
  * About to connect() to jenkins.musta.ch port 443 (#0)
  *   Trying 10.147.129.217... connected
  * successfully set certificate verify locations:
  *   CAfile: none
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server key exchange (12):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using ECDHE-RSA-AES256-SHA
  * Server certificate:
  * 	 subject: O=*.airbnb.com; OU=Domain Control Validated; CN=*.airbnb.com
  * 	 start date: 2012-10-23 18:01:55 GMT
  * 	 expire date: 2013-10-24 18:33:00 GMT
  * 	 subjectAltName does not match jenkins.musta.ch
  * Closing connection #0
  * SSLv3, TLS alert, Client hello (1):
  * SSL peer certificate or SSH remote key was not OK
  curl: (51) SSL peer certificate or SSH remote key was not OK
  ubuntu at i-60bcba0e:~$ curl -sS -v -k https://jenkins.musta.ch/
  * About to connect() to jenkins.musta.ch port 443 (#0)
  *   Trying 10.147.129.217... connected
  * successfully set certificate verify locations:
  *   CAfile: none
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server key exchange (12):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using ECDHE-RSA-AES256-SHA
  * Server certificate:
  * 	 subject: O=*.airbnb.com; OU=Domain Control Validated; CN=*.airbnb.com
  * 	 start date: 2012-10-23 18:01:55 GMT
  * 	 expire date: 2013-10-24 18:33:00 GMT
  * 	 subjectAltName does not match jenkins.musta.ch
  * Closing connection #0
  * SSLv3, TLS alert, Client hello (1):
  * SSL peer certificate or SSH remote key was not OK
  curl: (51) SSL peer certificate or SSH remote key was not OK

  The fix:

  --- a/src/main.c
  +++ b/src/main.c
  @@ -5375,7 +5375,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
           if(config->insecure_ok) {
             /* new stuff needed for libcurl 7.10 */
             my_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  -          my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
  +          my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
           }
           else {
             char *home = homedir();

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1258366/+subscriptions