upstream curl bug #1371: p12 client certificates code is broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
curl (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
The bug makes it impossible to use PKCS#12 secure storage of client certificates and private keys with any affected Ubuntu releases. The fix is one line fixing a broken switch statement and was already tested against Ubuntu 14.04 LTS with a rebuilt curl package.
This was fixed in upstream libcurl in the following bug:
https:/
The bug fix consists of one missing break statement at the end of a case in a switch statement.
I personally patched the bug using source code release curl_7.
[Test Case]
The bug can be reproduced using the following libcurl parameters (even via CLI, pycurl, etc.).
CURLOPT_SSLCERTTYPE == "P12"
CURLOPT_SSLCERT = path to PKCS#12
CURLOPT_SSLKEY = path to PKCS#12
CURLOPT_
Basically, just use a PKCS#12 format client certificate and private key against some certificate protected web server.
[Regression Potential]
If it could possibly break anything, which is extraordinarily unlikely, it would break one of the three client certificate formats (most likely PKCS#12 but also PEM or DER). Note 1/3 formats is already broken due to the bug. Client certificates of all three types could be checked to prevent this.
description: | updated |
tags: | added: trusty |
Changed in curl (Ubuntu): | |
milestone: | none → trusty-updates |
milestone: | trusty-updates → none |
tags: | added: bitesize |
Requested nomination for stable release update from Ubuntu Bug Control at 2016-03-12T00:08.