wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

[Bug]: wolfSSL_check_domain_name for QUIC returns ok for failed SAN check

Open bagder opened this issue 1 year ago • 0 comments

Contact Details

No response

Version

built from master just a day ago

Description

When I build curl to do HTTP/3 using ngtcp2+nghttp3 and wolfSSL, I can connect to a host with a properly signed certificate but for the wrong name - without wolfSSL shouting at me.

For example, we can connect to a host that serves curl.se but insist that the host name is example, which then should fail the certificate check since there is no SAN name for example in that server. This can be tested with a curl command line

This issue was initially filed against curl here: https://github.com/curl/curl/issues/13487 (and there is a recproducer shown there)

... but the problem seems to be the wolfSSL function.

The same function (wolfSSL_check_domain_name) returns error correctly when used over TCP, like for HTTP/1 and HTTP/2.

Reproduction steps

It is a little bit complicated. I have only tried with a curl build, which can be made as described here.

Relevant log output

No response

bagder avatar Apr 29 '24 22:04 bagder