Wildcard certificate broken after 7.81.0-1ubuntu1.11 / CVE-2023-28321
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
curl (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
On jammy, after upgrading curl:
Preparing to unpack .../curl_
Unpacking curl (7.81.0-
Preparing to unpack .../libcurl4_
Unpacking libcurl4:amd64 (7.81.0-
Preparing to unpack .../libcurl3-
Unpacking libcurl3-
Setting up libcurl3-
Setting up libcurl4:amd64 (7.81.0-
Setting up curl (7.81.0-
Now my site with a CA wildcard cert fails:
"
# curl https:/
curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz'
More details here: https:/
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
"
The site has a wildcard certificate for *.yyy.zzz
This worked before the upgrade to .11, if I downgrade to .10, then it works again.
The error message looks like it expects to find the appropriate wildcard in the SubjectAltName.
From openssl x509, the server's subjects are:
Validity
Not Before: Feb 27 00:00:00 2023 GMT
Not After : Feb 27 23:59:59 2024 GMT
Subject: CN = *.yyy.zzz
X509v3 extensions:
X509v3 Subject Alternative Name:
The site should be matched by both the Subject wildcard, and the first Subject Alt Name wildcard.
# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04
# apt-cache policy curl
curl:
Installed: 7.81.0-1ubuntu1.11
Candidate: 7.81.0-1ubuntu1.11
Version table:
*** 7.81.0-1ubuntu1.11 500
500 https:/
500 https:/
100 /var/lib/
7.81.0-1 500
500 https:/
What you expected to happen:
Successful TLS connection to Apache
What happened instead:
Failed TLS connection with error:
curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz'
I note some public certificates are failing too, usually services that provide a customer service on a unique subdomain.
Examples:
cdpjammy03# curl https:/ /deadtous. slack.com/ slack.com' /curl.se/ docs/sslcerts. html
curl: (60) SSL: no alternative certificate subject name matches target host name 'deadtous.
More details here: https:/
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.