[Bug 22709] New: crypt32 doesn't support wildcard certificates with alternate name extension
http://bugs.winehq.org/show_bug.cgi?id=22709 Summary: crypt32 doesn't support wildcard certificates with alternate name extension Product: Wine Version: 1.1.44 Platform: x86-64 URL: http://earth.google.com/intl/ru/plugin/ OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: NightNord(a)gmail.com Reproducing: 1) try to install Google Earth browser plug-in (see bug's URL). 2) get connectivity error 3) Look at logs for 'err:winhttp:netconn_secure_connect couldn't verify server certificate (12038)' 12038 means "invalid CN" It tries to connect to "https://tools.google.com/service/update2", which is using wildcard (*.google.com) certificate. Further tracing shows that it fails into function 'match_dns_to_subject_alt_name' trace:chain:match_dns_to_subject_alt_name dNSName: L"*.google.com" trace:chain:match_dns_to_subject_alt_name dNSName: L"google.com" While ChangeLog for 33 says, that crypt32 supports wildcards, it seems, that only match_dns_to_subject_dn support them, while match_dns_to_subject_alt_name uses dumb case-insensitive comparison with 'strcmpiW' function. Full +winhttp,+crypt,+chain log comes as attachment P.S. Commenting check will not make it work, but now with 'bad request' answer from google server. That seems to be another bug. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 --- Comment #1 from Night Nord <NightNord(a)gmail.com> 2010-05-15 12:16:48 --- Created an attachment (id=27989) --> (http://bugs.winehq.org/attachment.cgi?id=27989) Firefox installing plug-in log (+chain,+winhttp) Ok, I've dropped '+crypt' debug as it was mostly useless and it takes up to 23Mb with it. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 --- Comment #2 from Juan Lang <juan_lang(a)yahoo.com> 2010-05-15 19:18:33 --- Sigh. The trouble is, the certificate is invalid for tools.google.com according the RFCs: * is not a valid character in DNS names, therefore it's invalid in the DNS name form in the alternate name extension. If an alternate name extension is present, it MUST be checked (and * doesn't match anything.) So, either crypt32 is non-compliant, or winhttp is. Tests needed, of course. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 --- Comment #3 from Night Nord <NightNord(a)gmail.com> 2010-05-16 06:31:54 --- You're speaking about native crypt32/winhttp now, right? But it seems, that wget/curl/openssl/mozilla/opera/and dozens other software take this certificate as valid. Also: http://en.wikipedia.org/wiki/Wildcard_DNS_record -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 --- Comment #4 from Juan Lang <juan_lang(a)yahoo.com> 2010-05-16 11:20:50 --- openssl doesn't support/validate the alterative name extension. And I'm familiar with wildcard DNS names in certificates. I've already stated why this one is invalid: a * character is valid in the certificate's common name, but not in the DNS name field. At least, not according to RFC 5280/1034. I'm not disagreeing that this is a bug, I'm just stating that common practice appears to violate the RFCs. The RFCs are probably underspecified here, though. In any case, what's really needed is a test for this. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 --- Comment #5 from Juan Lang <juan_lang(a)yahoo.com> 2010-05-19 20:24:03 --- Well, I'm full of bad information in this one: First, though it's off-topic for this bug, openssl does support the subject alternative name extension. (It doesn't support the name constraints extension, which is what I was thinking of when I piped up.) Second, RFC 1034 does describe wildcard RRs, so naturally the * is allowed in DNS names. I'd read somewhere that it wasn't, but I should have read the RFC more carefully. I've got a patch series that demonstrates the problem that I'll send in. I may or may not have a chance to fix it before the code freeze. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 --- Comment #6 from Juan Lang <juan_lang(a)yahoo.com> 2010-05-20 10:58:41 --- I sent a patch: http://www.winehq.org/pipermail/wine-patches/2010-May/088718.html -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 Juan Lang <juan_lang(a)yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED --- Comment #7 from Juan Lang <juan_lang(a)yahoo.com> 2010-05-21 12:18:02 --- Fixed by commit c79aad51cd21e1da941dcc003379957065253715. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=22709 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #8 from Alexandre Julliard <julliard(a)winehq.org> 2010-05-21 14:40:22 --- Closing bugs fixed in 1.2-rc1. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org