[Bug 2028188] Re: Wildcard certificate broken after 7.81.0-1ubuntu1.11 / CVE-2023-28321

Wed Jul 19 17:59:47 UTC 2023

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: curl (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2028188

Title:
  Wildcard certificate broken after 7.81.0-1ubuntu1.11 / CVE-2023-28321

Status in curl package in Ubuntu:
  Confirmed

Bug description:
  On jammy, after upgrading curl:
  Preparing to unpack .../curl_7.81.0-1ubuntu1.11_amd64.deb ...
  Unpacking curl (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
  Preparing to unpack .../libcurl4_7.81.0-1ubuntu1.11_amd64.deb ...
  Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
  Preparing to unpack .../libcurl3-gnutls_7.81.0-1ubuntu1.11_amd64.deb ...
  Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
  Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) ...
  Setting up libcurl4:amd64 (7.81.0-1ubuntu1.11) ...
  Setting up curl (7.81.0-1ubuntu1.11) ...

  Now my site with a CA wildcard cert fails:
  "
  # curl https://xxx.yyy.zzz/
  curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz'
  More details here: https://curl.se/docs/sslcerts.html

  curl failed to verify the legitimacy of the server and therefore could not
  establish a secure connection to it. To learn more about this situation and
  how to fix it, please visit the web page mentioned above.
  "

  The site has a wildcard certificate for *.yyy.zzz
  This worked before the upgrade to .11, if I downgrade to .10, then it works again.
  The error message looks like it expects to find the appropriate wildcard in the SubjectAltName.
  From openssl x509, the server's subjects are:
          Validity
              Not Before: Feb 27 00:00:00 2023 GMT
              Not After : Feb 27 23:59:59 2024 GMT
          Subject: CN = *.yyy.zzz
          X509v3 extensions:
              X509v3 Subject Alternative Name:
                  DNS:*.yyy.zzz, DNS:yyy.zz
  The site should be matched by both the Subject wildcard, and the first Subject Alt Name wildcard.

  # lsb_release -rd
  Description:	Ubuntu 22.04.2 LTS
  Release:	22.04

  # apt-cache policy curl
  curl:
    Installed: 7.81.0-1ubuntu1.11
    Candidate: 7.81.0-1ubuntu1.11
    Version table:
   *** 7.81.0-1ubuntu1.11 500
          500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
          500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       7.81.0-1 500
          500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  What you expected to happen:
  Successful TLS connection to Apache

  What happened instead:
  Failed TLS connection with error:
  curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028188/+subscriptions