[Bug 2028170] Re: curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt-name

Loren Underwood 2028170 at bugs.launchpad.net
Fri Jul 21 21:38:04 UTC 2023 

Marc, if there's a way I can give you access to this server thats no
problem if it would help. As I mentioned this is just a dev server for a
website. Also I just tried update/upgrade again, no go.

ubuntu at t1:~$ sudo apt update
Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [108 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Fetched 337 kB in 1s (427 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
ubuntu at t1:~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Get more security updates through Ubuntu Pro with 'esm-apps' enabled:
  gsasl-common libjs-jquery-ui php-twig libgsasl7 libmagickwand-6.q16-6
  libmagickcore-6.q16-6 imagemagick-6-common
Learn more about Ubuntu Pro on AWS at https://ubuntu.com/aws/pro
#
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.
#
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
ubuntu at t1:~$ sudo dpkg -l | grep curl
ii  curl                               7.81.0-1ubuntu1.13                                                   amd64        command line tool for transferring data with URL syntax
ii  libcurl3-gnutls:amd64              7.81.0-1ubuntu1.13                                                   amd64        easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libcurl4:amd64                     7.81.0-1ubuntu1.13                                                   amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  php7.3-curl                        7.3.33-8+ubuntu20.04.1+deb.sury.org+1                                amd64        CURL module for PHP
ii  php7.4-curl                        1:7.4.33-1+ubuntu20.04.1+deb.sury.org+1                              amd64        CURL module for PHP
ii  php8.0-curl                        1:8.0.26-1+ubuntu20.04.1+deb.sury.org+1                              amd64        CURL module for PHP
ii  php8.1-curl                        8.1.2-1ubuntu2.13                                                    amd64        CURL module for PHP
ii  php8.2-curl                        8.2.0-3+ubuntu20.04.1+deb.sury.org+1                                 amd64        CURL module for PHP
ubuntu at t1:~$


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2650

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2028170

Title:
  curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt-
  name

Status in curl package in Ubuntu:
  Invalid
Status in curl source package in Focal:
  Invalid
Status in curl source package in Jammy:
  Fix Released
Status in curl source package in Kinetic:
  Invalid
Status in curl source package in Lunar:
  Invalid
Status in curl source package in Mantic:
  Invalid

Bug description:
  With the latest curl 7.81.0-1ubuntu1.11 on ubuntu 22.04, I'm getting
  the following:

  curl -v https://raw.githubusercontent.com

  *   Trying 185.199.108.133:443...
  * Connected to raw.githubusercontent.com (185.199.108.133) port 443 (#0)
  [...]
  * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  * ALPN, server accepted to use h2
  * Server certificate:
  *  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
  *  start date: Feb 21 00:00:00 2023 GMT
  *  expire date: Mar 20 23:59:59 2024 GMT
  *  subjectAltName does not match raw.githubusercontent.com
  * SSL: no alternative certificate subject name matches target host name 'raw.githubusercontent.com'
  curl: (60) SSL: no alternative certificate subject name matches target host name 'raw.githubusercontent.com'
  More details here: https://curl.se/docs/sslcerts.html

  curl failed to verify the legitimacy of the server and therefore could not
  establish a secure connection to it. To learn more about this situation and
  how to fix it, please visit the web page mentioned above.

  --
  The alt name looks proper when looking at the cert w/ s_client:

  openssl s_client -connect raw.githubusercontent.com:443 </dev/null
  2>/dev/null | openssl x509 -noout -text

              X509v3 Subject Alternative Name:
                  DNS:*.github.io, DNS:github.io, DNS:*.github.com, DNS:github.com, DNS:www.github.com, DNS:*.githubusercontent.com, DNS:githubusercontent.com

  Previous versions of curl work as intended.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028170/+subscriptions

More information about the foundations-bugs mailing list