Re: Problems with cert authentication under Turkish locale

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/11/2016 17:42, Viktor Dukhovni wrote:
On Tue, Nov 01, 2016 at 04:28:18PM +0100, Sebastian Kloska wrote:

[ Redirecting to openssl-users. ]
(I cannot see the original posts, as I am only subscribed
to -users).
We have problems authenticating a a CERT while LC_CTYPE is set to
tr_TR.UTF-8

The issue is triggered in libcurl but it seems to come out of libssl. It
seems to be
Note that the Turkish UNICODE locales have the unusual property
that the uppercase/lowercase routines do not match ASCII "I" to
ASCII "i", to cater to the distinguishing between "dotted" and
"dotless" letter I in Turkish natural language.  It is the only
known locales to case map an ASCII character differently than the
basic ASCII algorithm presumed by the standard for Internet host
names.

So something, in either OpenSSL or curl (or a combination) may
(on the OPs system) be using a locale-sensitive function to
compare e.g. "hotmail.com" and "HOTMAIL.COM", where some kind
of locale-neutral function should be used to avoid the special
handling that the Unicode standard specifies for the letter "I"
in Turkish.

I see nothing in the OpenSSL X.509 stack that would be sensitive
to this locale.  In particular, with OpenSSL >= 1.0.2 doing the
hostname check, both:

     LANG=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname www.hotmail.com

and

     LC_CTYPE=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname www.hotmail.com

return success.  OpenSSL 1.0.1 and earlier do not do hostname
checks, that's left to the application.  With 1.0.1 the chain alone
verifies just fine:

     $ LC_CTYPE=tr_TR.UTF-8 /.../OpenSSL_1_0_1/bin/openssl s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem
     CONNECTED(00000003)
     depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
     verify return:1
     depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 EV SSL CA - G3
     verify return:1
     depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Washington, businessCategory = Private Organization, serialNumber = 600413485, C = US, postalCode = 98052, ST = Washington, L = Redmond, street = 1 Microsoft Way, O = Microsoft Corporation, OU = Outlook Kahuna BAY-A Jun2015, CN = mail.live.com
     verify return:1
     ---
     Certificate chain
      0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A Jun2015/CN=mail.live.com
        i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
      1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
        i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
     ---
     Server certificate
     -----BEGIN CERTIFICATE-----
     ...
     -----END CERTIFICATE-----
     subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A Jun2015/CN=mail.live.com
     issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
     ---
     No client certificate CA names sent
     ---
     SSL handshake has read 5342 bytes and written 511 bytes
     ---
     New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
     Server public key is 2048 bit
     Secure Renegotiation IS supported
     Compression: NONE
     Expansion: NONE
     SSL-Session:
	Protocol  : TLSv1.2
	Cipher    : ECDHE-RSA-AES256-SHA384
	Session-ID: ...
	Session-ID-ctx:
	Master-Key: ...
	Key-Arg   : None
	PSK identity: None
	PSK identity hint: None
	SRP username: None
	Start Time: 1478018209
	Timeout   : 300 (sec)
	Verify return code: 0 (ok)

So it seems that any problem lies with libcurl.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux