New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls #19677
Comments
seems the blocker is at Mbed-TLS/mbedtls#2906 the remaining question: net/curl/Config.in says default LIBCURL_MBEDTLS. |
The decision to switch the default to wolfSSL was taken because of hostapd back from when curl was in base. Unfortunately, not only is wolfSSL bigger but it has also been causing issues recently. There's also no relation between hostapd and curl. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Sorry, what's the actual curl issue you're reporting? |
curl+mbedtls apparently does not work with numerical domains. Sounds like mbedtls should be fixed rather than curl. @gstrauss any input on this? |
Mbed-TLS/mbedtls#6473 was closed with a pointer to Mbed-TLS/mbedtls#5082 I'll try to read through these this week: At first (really quick) glance, extending mbedtls to handle this might be a small change in |
@neheb I submitted a PR to mbedtls in Mbed-TLS/mbedtls#6475 Since the PR is a feature addition, it is unlikely to be backported to mbedtls 2.28.1. However, I have checked that the patches apply cleanly to mbedtls 2.28.1, so you are are welcome to see if those patches allow curl with (patched) mbedtls to access 1.1.1.1 without BADCERT_CN_MISMATCH. Note: my PR above does require a modern system which provides |
Updated the title to reflect the current status of the issue. If the patch is needed, it would be against the OpenWrt version of mbedtls, not curl, right? |
Yes |
@busylog did you test this? |
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
backport from X509 crt verify SAN iPAddress Mbed-TLS/mbedtls#6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) Mbed-TLS/mbedtls#6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls openwrt/packages#19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
@busylog can you still reproduce with updated mbedtls? |
Maintainer: @stangri
Environment: openwrt 22.03.2 raspberry pi 3 bcm2710
Description:
note: https://one.one.one.one/ works. ubuntu with openssl works.
limited by mbedTLS?
The text was updated successfully, but these errors were encountered: