Ubuntu
curl package

Wildcard certificate broken after 7.81.0-1ubuntu1.11 / CVE-2023-28321

Bug #2028188 reported by Colin Petrie
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

On jammy, after upgrading curl:
Preparing to unpack .../curl_7.81.0-1ubuntu1.11_amd64.deb ...
Unpacking curl (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
Preparing to unpack .../libcurl4_7.81.0-1ubuntu1.11_amd64.deb ...
Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
Preparing to unpack .../libcurl3-gnutls_7.81.0-1ubuntu1.11_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ...
Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) ...
Setting up libcurl4:amd64 (7.81.0-1ubuntu1.11) ...
Setting up curl (7.81.0-1ubuntu1.11) ...

Now my site with a CA wildcard cert fails:
"
# curl https://xxx.yyy.zzz/
curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
"

The site has a wildcard certificate for *.yyy.zzz
This worked before the upgrade to .11, if I downgrade to .10, then it works again.
The error message looks like it expects to find the appropriate wildcard in the SubjectAltName.
From openssl x509, the server's subjects are:
        Validity
            Not Before: Feb 27 00:00:00 2023 GMT
            Not After : Feb 27 23:59:59 2024 GMT
        Subject: CN = *.yyy.zzz
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:*.yyy.zzz, DNS:yyy.zz
The site should be matched by both the Subject wildcard, and the first Subject Alt Name wildcard.

# lsb_release -rd
Description: Ubuntu 22.04.2 LTS
Release: 22.04

# apt-cache policy curl
curl:
  Installed: 7.81.0-1ubuntu1.11
  Candidate: 7.81.0-1ubuntu1.11
  Version table:
 *** 7.81.0-1ubuntu1.11 500
        500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     7.81.0-1 500
        500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

What you expected to happen:
Successful TLS connection to Apache

What happened instead:
Failed TLS connection with error:
curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz'

Revision history for this message
Colin Petrie (cpetrie) wrote :

I note some public certificates are failing too, usually services that provide a customer service on a unique subdomain.
Examples:

cdpjammy03# curl https://deadtous.slack.com/
curl: (60) SSL: no alternative certificate subject name matches target host name 'deadtous.slack.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Revision history for this message
Bjorn Neergaard (neersighted) wrote (last edit ):

Another endpoint which is failing to verify with Jammy's curl:

$ curl https://download.docker.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'download.docker.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in curl (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.