[libcurl] certificate field get truncated #4837

bmfp · 2020-01-21T16:49:34Z

TL;DR
When using libcurl, at least "X509v3 Subject Alternative Name" field gets truncated after 512 characters, I didn't observe/test it on other fields

I did this

built https://github.com/curl/curl/raw/master/docs/examples/certinfo.c, replacing www.example.com with guce.nexage.com, which is at the end of a long SAN list
performed curl -s -v https://guce.nexage.com > /dev/null

I expected the following

with certinfo.c, show all SAN items, but got :

X509v3 Subject Alternative Name:DNS:consent.oath.com,DNS:consent.yahoo.com,DNS:guce.verizonmedia.com,DNS:guce2.oath.com,DNS:guce.alephd.com,DNS:guce.aol.ca,DNS:guce.aol.co.uk,DNS:guce.huffingtonpost.co.uk,DNS:guce.huffingtonpost.co.za,DNS:guce.huffingtonpost.com.au,DNS:guce.huffingtonpost.com.mx,DNS:guce.huffingtonpost.de,DNS:guce.huffingtonpost.es,DNS:guce.huffingtonpost.fr,DNS:guce.huffingtonpost.gr,DNS:guce.huffingtonpost.in,DNS:guce.huffingtonpost.it,DNS:guce.huffingtonpost.jp,DNS:guce.huffingtonpost.kr,DNS:guce.huffpost.com,DNS:guce

with 2nd test, show that certificate is valid : this one is ok
subjectAltName: host "guce.nexage.com" matched cert's "guce.nexage.com"

curl/libcurl version

ii  curl                                            7.58.0-2ubuntu3.8                                   amd64        command line tool for transferring data with URL syntax
ii  libcurl3-gnutls:amd64                           7.58.0-2ubuntu3.8                                   amd64        easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libcurl4:amd64                                  7.58.0-2ubuntu3.8                                   amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libcurl4-openssl-dev:amd64                      7.58.0-2ubuntu3.8                                   amd64        development files and documentation for libcurl (OpenSSL flavour)

[curl -V output]

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

uname -a
Linux r01 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

The text was updated successfully, but these errors were encountered:

bagder · 2020-01-22T08:49:43Z

Your -V shows your curl uses OpenSSL, so that list item libcurl3-gnutls:amd64 is probably not relevant here.

Avoid "reparsing" the content and instead deliver more exactly what is provided in the certificate and avoid truncating the data after 512 bytes as done previously. This no longer removes embedded newlines. Fixes #4837 Reported-by: bnfp on github

bmfp · 2020-01-22T10:04:44Z

@bagder you're right !
the versions were only extracted with dpkg -l | grep curl

bagder added the TLS label Jan 22, 2020

bagder mentioned this issue Jan 22, 2020

openssl: make CURLINFO_CERTINFO not truncate x509v3 fields #4841

Closed

bagder closed this as completed in 3ecdfb1 Jan 23, 2020

lock bot locked as resolved and limited conversation to collaborators Apr 25, 2020

[libcurl] certificate field get truncated #4837

[libcurl] certificate field get truncated #4837

bmfp commented Jan 21, 2020

bagder commented Jan 22, 2020

bmfp commented Jan 22, 2020

[libcurl] certificate field get truncated #4837

[libcurl] certificate field get truncated #4837

Comments

bmfp commented Jan 21, 2020

I did this

I expected the following

curl/libcurl version

operating system

bagder commented Jan 22, 2020

bmfp commented Jan 22, 2020