Score:7

Ubuntu

SSL: no alternative certificate subject name matches | New release of CURL(USN-6237-1) brings suffering

Sergei Varaksin

7/19/24, 5:25 PM

Since new release of CURL https://ubuntu.com/security/notices/USN-6237-1 we experianc problem with curl command on Ubuntu:

sudo apt update -y && sudo apt install --no-install-recommends -y curl
curl -vvv https://downloads.apache.org/maven/maven-3/3.8.8/binaries/

Error:

*   Trying 88.99.95.219:443...
99
* Connected to downloads.apache.org (88.99.95.219) port 443 (#0)
100
* ALPN, offering h2
101
* ALPN, offering http/1.1
102
*  CAfile: /etc/ssl/certs/ca-certificates.crt
103
*  CApath: /etc/ssl/certs
104
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
105
} [5 bytes data]
106
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
107
} [512 bytes data]
108
* TLSv1.2 (IN), TLS header, Certificate Status (22):
109
{ [5 bytes data]
110
* TLSv1.3 (IN), TLS handshake, Server hello (2):
111
{ [122 bytes data]
112
* TLSv1.2 (IN), TLS header, Finished (20):
113
{ [5 bytes data]
114
* TLSv1.2 (IN), TLS header, Supplemental data (23):
115
{ [5 bytes data]
116
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
117
{ [25 bytes data]
118
* TLSv1.2 (IN), TLS header, Supplemental data (23):
119
{ [5 bytes data]
120
* TLSv1.3 (IN), TLS handshake, Certificate (11):
121
{ [4583 bytes data]
122
* TLSv1.2 (IN), TLS header, Supplemental data (23):
123
{ [5 bytes data]
124
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
125
{ [264 bytes data]
126
* TLSv1.2 (IN), TLS header, Supplemental data (23):
127
{ [5 bytes data]
128
* TLSv1.3 (IN), TLS handshake, Finished (20):
129
{ [52 bytes data]
130
* TLSv1.2 (OUT), TLS header, Finished (20):
131
} [5 bytes data]
132
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
133
} [1 bytes data]
134
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
135
} [5 bytes data]
136
* TLSv1.3 (OUT), TLS handshake, Finished (20):
137
} [52 bytes data]
138
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
139
* ALPN, server accepted to use http/1.1
140
* Server certificate:
141
*  subject: CN=*.apache.org
142
*  start date: Jun 29 00:00:00 2022 GMT
143
*  expire date: Jul 30 23:59:59 2023 GMT
144
*  subjectAltName does not match downloads.apache.org
145
* SSL: no alternative certificate subject name matches target host name 'downloads.apache.org'
146
* Closing connection 0
147
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
148
} [5 bytes data]
149
* TLSv1.3 (OUT), TLS alert, close notify (256):
150
} [2 bytes data]
151
curl: (60) SSL: no alternative certificate subject name matches target host name 'downloads.apache.org'
152
More details here: https://curl.se/docs/sslcerts.html

How to fix it? Should we since now control 3rd party certs somehow?Worked yesterday. Thanks in advance

3226

3 + 0

ssl

curl

22.04

Score:11

Ubuntu

Steffen Ullrich

7/19/24, 6:05 PM

Look like there was a broken backport for a security fix. Should be fixed in 7.81.0-1ubuntu1.13 which fixes 7.81.0-1ubuntu1.11. From https://launchpad.net/ubuntu/jammy/+source/curl/+changelog:

curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium

  * SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170)
    - debian/patches/CVE-2023-28321.patch: fix missing line in backport.

 -- Marc Deslauriers <email address hidden>  Wed, 19 Jul 2023 12:23:36 -0400
curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321

+ 1

Sergei Varaksin

7/19/24, 6:16 PM

Thank you! I appreciate your answer.

Score:4

Ubuntu

Rinzwind

7/19/24, 5:41 PM

Methods to get to the older version:

Remove it and use apt to install the previous version. Here is the most active topic on AU on this: How to downgrade a package via apt-get? It is also possible to install from source. That might be a better method: you can leave the apt version as is, wait for an update/bug fix and try the new one alongside the source install version.

Check if any of these fixes your issue. If so file a bug report. If you want to stick to the older apt version pin the package

+ 6

Sergei Varaksin

7/19/24, 5:45 PM

Thanks @Rinzwind! we did just that, downgraded the version of the curl and the library. That helped. But the bottom line is that this is a crutch. I hope the fix doesn't take too long.

Steffen Ullrich

7/19/24, 5:54 PM

@Rinzwind: there seems to be a newly introduced bug in the code validating the certificate subject alternative names, while trying to fixing a bug there. So using a different CA certificates will not help. The bug happens for me too.

Rinzwind

7/19/24, 5:58 PM

Oh thanks saves me searching :D (because I am likely to face this at work in a few days too :D )

Sergei Varaksin

7/19/24, 6:01 PM

Yeah... but it doesn't work for me as of today. Yesterday there was a new release. I'll try to open a bug ticket.

Steffen Ullrich

7/19/24, 6:03 PM

@SergeiVaraksin: no need, the bug is already known and fixed in the latest update. I'll create an answer

Sergei Varaksin

7/19/24, 6:09 PM

@SteffenUllrich Ooo, great! Thanks) Will wait

Score:4

Ubuntu

Marlon Anjos

7/19/24, 6:04 PM

This is a confirmed bug: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028170

They have already fixed it by reverting the changes and the new package version will be live soon.

+ 1

Sergei Varaksin

7/19/24, 6:15 PM

Thanks for letting me know! Will fill a bug report in the corresponding resources next time.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSL: no alternative certificate subject name matches | New release of CURL(USN-6237-1) brings suffering

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.