[Bug 1258366] Re: curl -k breaks for some certificates after USN-2048-1
Launchpad Bug Tracker
1258366 at bugs.launchpad.net
Fri Dec 6 15:09:54 UTC 2013
This bug was fixed in the package curl - 7.27.0-1ubuntu1.6
---------------
curl (7.27.0-1ubuntu1.6) quantal-security; urgency=low
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/patches/CVE-2013-4545.patch: properly disable host
verification when insecure mode is used in src/tool_operate.c.
- CVE-2013-4545
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Fri, 06 Dec 2013 07:47:06 -0500
** Changed in: curl (Ubuntu Quantal)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4545
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1258366
Title:
curl -k breaks for some certificates after USN-2048-1
Status in “curl” package in Ubuntu:
Invalid
Status in “curl” source package in Lucid:
Fix Released
Status in “curl” source package in Precise:
Fix Released
Status in “curl” source package in Quantal:
Fix Released
Status in “curl” source package in Raring:
Invalid
Status in “curl” source package in Saucy:
Invalid
Status in “curl” package in Debian:
Fix Released
Bug description:
The bug:
$ curl -sS -v -k https://jenkins.musta.ch//job/monorail_build_flow/4940/api/json
* About to connect() to jenkins.musta.ch port 443 (#0)
* Trying 10.147.129.217... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: O=*.airbnb.com; OU=Domain Control Validated; CN=*.airbnb.com
* start date: 2012-10-23 18:01:55 GMT
* expire date: 2013-10-24 18:33:00 GMT
* subjectAltName does not match jenkins.musta.ch
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK
ubuntu at i-60bcba0e:~$ curl -sS -v -k https://jenkins.musta.ch/
* About to connect() to jenkins.musta.ch port 443 (#0)
* Trying 10.147.129.217... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: O=*.airbnb.com; OU=Domain Control Validated; CN=*.airbnb.com
* start date: 2012-10-23 18:01:55 GMT
* expire date: 2013-10-24 18:33:00 GMT
* subjectAltName does not match jenkins.musta.ch
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK
The fix:
--- a/src/main.c
+++ b/src/main.c
@@ -5375,7 +5375,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
if(config->insecure_ok) {
/* new stuff needed for libcurl 7.10 */
my_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
- my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
+ my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
}
else {
char *home = homedir();
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1258366/+subscriptions
More information about the foundations-bugs
mailing list