-
-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
schannel error for validating hosts with AltNames #3711
Comments
CERT_NAME_SEARCH_ALL_NAMES_FLAG isn't available earlier than Windows 8 as discussed here. curl/lib/vtls/schannel_verify.c Lines 305 to 307 in 521bbbe
curl tool doesn't set CAINFO for schannel, it does it like this: Lines 261 to 269 in 521bbbe
Likely you specified CAINFO and the CERT_NAME_SEARCH_ALL_NAMES_FLAG was not available at build time because you targeted < Windows 8. It's fixable but I've focused on other issues. It should be possible to fix by iterating through CERT_ALT_NAME_INFO instead of using that flag. |
Right this is the case. I will make sure to not set CAINFO icw/ CURLSSLBACKEND_SCHANNEL then. Perhaps there should be a warning of some sort in the |
Yeah that's a fair point we'll try to fix it for the next release. |
Maybe turn that into a new separate issue with a description explaining it (I didn't follow it totally I think)? I fear it mostly gets lost here. |
Clues-provided-by: Jay Satiro Clues-provided-by: Jeroen Ooms Fixes #3711
My attempt at documenting this is now in #3874. |
- Support hostname verification via alternative names (SAN) in the peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier. CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a result CertGetNameString doesn't quite work on those versions of Windows. This change provides an alternative solution for CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier versions of Windows. Prior to this change many certificates failed the hostname validation when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates now represent multiple hostnames and rely on the alternative names field exclusively to represent their hostnames. Reported-by: Jeroen Ooms Fixes #3711 Closes #4761
Fix landed in 29e40a6. |
Trying to upgrade the R bindings on Windows from 7.59.1 to 7.64.1. The curl configuration is dual-ssl (openssl + schannel) with the latter being the default.
The bindings set
CURLOPT_CAINFO
to the path of our cert bundle. However, I think in libcurl 7.59.1 this option was only needed for the openssl back-end, because schannel would ignore it and use the Windows certificate store to validate certs? Not sure.Anyway, with the new version, trying to connect to e.g.
www.github.com
fails like this:The line below wasn't there in 7.59.1, I guess it is now using the bundle instead of windows certificate store for validating certs with schannel which was probably already added in 7.60.0.
However it doesn't seem to support AltName certs, which is why connecting to
www.github.com
fails. If we connect togithub.com
instead then it works, becausegithub.com
is the primary CN on the cert:The problem does not appear when using the openssl backend (so the bundle file is not the problem), or when using the schannel without setting
CURLOPT_CAINFO
(in which case I guess it uses the Windows certificate store).The text was updated successfully, but these errors were encountered: