Public bug reported: On jammy, after upgrading curl: Preparing to unpack .../curl_7.81.0-1ubuntu1.11_amd64.deb ... Unpacking curl (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ... Preparing to unpack .../libcurl4_7.81.0-1ubuntu1.11_amd64.deb ... Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ... Preparing to unpack .../libcurl3-gnutls_7.81.0-1ubuntu1.11_amd64.deb ... Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ... Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) ... Setting up libcurl4:amd64 (7.81.0-1ubuntu1.11) ... Setting up curl (7.81.0-1ubuntu1.11) ...
Now my site with a CA wildcard cert fails: " # curl https://xxx.yyy.zzz/ curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. " The site has a wildcard certificate for *.yyy.zzz This worked before the upgrade to .11, if I downgrade to .10, then it works again. The error message looks like it expects to find the appropriate wildcard in the SubjectAltName. >From openssl x509, the server's subjects are: Validity Not Before: Feb 27 00:00:00 2023 GMT Not After : Feb 27 23:59:59 2024 GMT Subject: CN = *.yyy.zzz X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.yyy.zzz, DNS:yyy.zz The site should be matched by both the Subject wildcard, and the first Subject Alt Name wildcard. # lsb_release -rd Description: Ubuntu 22.04.2 LTS Release: 22.04 # apt-cache policy curl curl: Installed: 7.81.0-1ubuntu1.11 Candidate: 7.81.0-1ubuntu1.11 Version table: *** 7.81.0-1ubuntu1.11 500 500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages 500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 100 /var/lib/dpkg/status 7.81.0-1 500 500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages What you expected to happen: Successful TLS connection to Apache What happened instead: Failed TLS connection with error: curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz' ** Affects: curl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/2028188 Title: Wildcard certificate broken after 7.81.0-1ubuntu1.11 / CVE-2023-28321 Status in curl package in Ubuntu: New Bug description: On jammy, after upgrading curl: Preparing to unpack .../curl_7.81.0-1ubuntu1.11_amd64.deb ... Unpacking curl (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ... Preparing to unpack .../libcurl4_7.81.0-1ubuntu1.11_amd64.deb ... Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ... Preparing to unpack .../libcurl3-gnutls_7.81.0-1ubuntu1.11_amd64.deb ... Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) over (7.81.0-1ubuntu1.10) ... Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.11) ... Setting up libcurl4:amd64 (7.81.0-1ubuntu1.11) ... Setting up curl (7.81.0-1ubuntu1.11) ... Now my site with a CA wildcard cert fails: " # curl https://xxx.yyy.zzz/ curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. " The site has a wildcard certificate for *.yyy.zzz This worked before the upgrade to .11, if I downgrade to .10, then it works again. The error message looks like it expects to find the appropriate wildcard in the SubjectAltName. From openssl x509, the server's subjects are: Validity Not Before: Feb 27 00:00:00 2023 GMT Not After : Feb 27 23:59:59 2024 GMT Subject: CN = *.yyy.zzz X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.yyy.zzz, DNS:yyy.zz The site should be matched by both the Subject wildcard, and the first Subject Alt Name wildcard. # lsb_release -rd Description: Ubuntu 22.04.2 LTS Release: 22.04 # apt-cache policy curl curl: Installed: 7.81.0-1ubuntu1.11 Candidate: 7.81.0-1ubuntu1.11 Version table: *** 7.81.0-1ubuntu1.11 500 500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages 500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 100 /var/lib/dpkg/status 7.81.0-1 500 500 https://localmirror.yyy.xxx/us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages What you expected to happen: Successful TLS connection to Apache What happened instead: Failed TLS connection with error: curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.yyy.zzz' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028188/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
