[Bug 2028170] Re: curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt-name

Loren Underwood 2028170 at bugs.launchpad.net
Fri Jul 21 08:38:55 UTC 2023 

I'm also experiencing this issue now. did update, upgrade, even reboot (this is a dev/staging web server).
Example:

ubuntu at t1:~$ curl -v https://skywaytheatre.com/wp-content/uploads/2023/01/Avatar-flyer-LOCAL-1.png
*   Trying 52.37.32.232:443...
* Connected to skywaytheatre.com (52.37.32.232) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.skywaytheatre.com
*  start date: Jul 14 10:02:27 2023 GMT
*  expire date: Oct 12 10:02:26 2023 GMT
*  subjectAltName does not match skywaytheatre.com
* SSL: no alternative certificate subject name matches target host name 'skywaytheatre.com'
* Closing connection 0
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'skywaytheatre.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

ubuntu at t1:~$ apt list curl -a
Listing... Done
curl/jammy-updates,jammy-security,now 7.81.0-1ubuntu1.13 amd64 [installed,automatic]
curl/jammy 7.81.0-1 amd64

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2028170

Title:
  curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt-
  name

Status in curl package in Ubuntu:
  Invalid
Status in curl source package in Focal:
  Invalid
Status in curl source package in Jammy:
  Fix Released
Status in curl source package in Kinetic:
  Invalid
Status in curl source package in Lunar:
  Invalid
Status in curl source package in Mantic:
  Invalid

Bug description:
  With the latest curl 7.81.0-1ubuntu1.11 on ubuntu 22.04, I'm getting
  the following:

  curl -v https://raw.githubusercontent.com

  *   Trying 185.199.108.133:443...
  * Connected to raw.githubusercontent.com (185.199.108.133) port 443 (#0)
  [...]
  * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  * ALPN, server accepted to use h2
  * Server certificate:
  *  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
  *  start date: Feb 21 00:00:00 2023 GMT
  *  expire date: Mar 20 23:59:59 2024 GMT
  *  subjectAltName does not match raw.githubusercontent.com
  * SSL: no alternative certificate subject name matches target host name 'raw.githubusercontent.com'
  curl: (60) SSL: no alternative certificate subject name matches target host name 'raw.githubusercontent.com'
  More details here: https://curl.se/docs/sslcerts.html

  curl failed to verify the legitimacy of the server and therefore could not
  establish a secure connection to it. To learn more about this situation and
  how to fix it, please visit the web page mentioned above.

  --
  The alt name looks proper when looking at the cert w/ s_client:

  openssl s_client -connect raw.githubusercontent.com:443 </dev/null
  2>/dev/null | openssl x509 -noout -text

              X509v3 Subject Alternative Name:
                  DNS:*.github.io, DNS:github.io, DNS:*.github.com, DNS:github.com, DNS:www.github.com, DNS:*.githubusercontent.com, DNS:githubusercontent.com

  Previous versions of curl work as intended.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028170/+subscriptions

More information about the foundations-bugs mailing list