Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

domain name with trailing dot fails the certificate check when using gnutls #13428

Closed
ryandesign opened this issue Apr 19, 2024 · 4 comments
Closed
Assignees
Labels
name lookup DNS and related tech TLS

Comments

@ryandesign
Copy link
Contributor

ryandesign commented Apr 19, 2024

When built using gnutls, curl cannot connect to https://pyropus.ca. possibly because the period at the end of the hostname is not being stripped for SNI purposes. This problem does not occur when curl is built using openssl. I'm not sure whether this is a curl bug or a gnutls bug.

For prior history on issues accessing this server, which intentionally uses a canonical name ending in a period, see #8290 reported by @ccazabon. There, the problem was that curl was stripping the period from the hostname for non-SNI purposes when it should not have been doing so.

I did this

curl -I https://pyropus.ca./

I expected the following

HTTP/1.1 200 OK
Date: Fri, 19 Apr 2024 16:21:47 GMT
Server: Apache/2.4.57 (Debian)
Accept-Ranges: bytes
Vary: Accept-Encoding
X-Frame-Options: sameorigin
Content-Type: text/html

but I got this

curl: (60) SSL: certificate subject name (pyropus.ca) does not match target host name 'pyropus.ca.'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl/libcurl version

curl 8.7.1 (x86_64-apple-darwin21.6.0) libcurl/8.7.1 GnuTLS/3.7.10 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 nghttp2/1.61.0 ngtcp2/1.4.0 nghttp3/1.2.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Darwin hostname-redacted 21.6.0 Darwin Kernel Version 21.6.0: Mon Feb 19 20:24:34 PST 2024; root:xnu-8020.240.18.707.4~1/RELEASE_X86_64 x86_64

@bagder bagder added name lookup DNS and related tech TLS labels Apr 19, 2024
@bagder
Copy link
Member

bagder commented Apr 20, 2024

I think this description is slightly off. The correct SNI field (without trailing dot) is actually used. The problem is rather in this call:

rc = gnutls_x509_crt_check_hostname(x509_cert, peer->hostname);

... where peer->hostname points to pyropus.ca. and GnuTLS returns 0, meaning failure.

@ryandesign
Copy link
Contributor Author

I think this description is slightly off.

Likely so; I was guessing. Feel free to retitle or edit as needed.

@bagder bagder changed the title Absolute domain names do not get trailing dot stripped from SNI hostname when using gnutls domain name with trailing dot fails the certificate check when using gnutls Apr 21, 2024
@icing icing self-assigned this Apr 22, 2024
@icing
Copy link
Contributor

icing commented Apr 22, 2024

Please see #13440 for the fix and added test cases.

@icing
Copy link
Contributor

icing commented Apr 26, 2024

Fix and tests now in #13486.

bagder added a commit that referenced this issue Jun 14, 2024
The function we use is called 'gnutls_x509_crt_check_hostname()' but if
we pass in the hostname with a trailing dot, the check fails. If we pass
in the SNI name, which cannot have a trailing dot, it succeeds for
https://pyropus.ca./

I consider this as a flaw in GnuTLS and have submitted this issue
upstream:

  https://gitlab.com/gnutls/gnutls/-/issues/1548

In order to work with old and existing GnuTLS versions, we still need
this change no matter how they view the issue or might change it in the
future.

Fixes #13428
Reported-by: Ryan Carsten Schmidt
bagder added a commit that referenced this issue Jun 14, 2024
The function we use is called 'gnutls_x509_crt_check_hostname()' but if
we pass in the hostname with a trailing dot, the check fails. If we pass
in the SNI name, which cannot have a trailing dot, it succeeds for
https://pyropus.ca./

I consider this as a flaw in GnuTLS and have submitted this issue
upstream:

  https://gitlab.com/gnutls/gnutls/-/issues/1548

In order to work with old and existing GnuTLS versions, we still need
this change no matter how they view the issue or might change it in the
future.

Fixes #13428
Reported-by: Ryan Carsten Schmidt
Closes #13949
@bagder bagder closed this as completed in 6b93190 Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
name lookup DNS and related tech TLS
Development

Successfully merging a pull request may close this issue.

3 participants