[Bug 22709] New: crypt32 doesn't support wildcard certificates with alternate name extension
http://bugs.winehq.org/show_bug.cgi?id=22709
Summary: crypt32 doesn't support wildcard certificates with alternate name extension Product: Wine Version: 1.1.44 Platform: x86-64 URL: http://earth.google.com/intl/ru/plugin/ OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 AssignedTo: wine-bugs@winehq.org ReportedBy: NightNord@gmail.com
Reproducing: 1) try to install Google Earth browser plug-in (see bug's URL). 2) get connectivity error 3) Look at logs for 'err:winhttp:netconn_secure_connect couldn't verify server certificate (12038)'
12038 means "invalid CN"
It tries to connect to "https://tools.google.com/service/update2", which is using wildcard (*.google.com) certificate.
Further tracing shows that it fails into function 'match_dns_to_subject_alt_name' trace:chain:match_dns_to_subject_alt_name dNSName: L"*.google.com" trace:chain:match_dns_to_subject_alt_name dNSName: L"google.com"
While ChangeLog for 33 says, that crypt32 supports wildcards, it seems, that only match_dns_to_subject_dn support them, while match_dns_to_subject_alt_name uses dumb case-insensitive comparison with 'strcmpiW' function.
Full +winhttp,+crypt,+chain log comes as attachment
P.S. Commenting check will not make it work, but now with 'bad request' answer from google server. That seems to be another bug.
http://bugs.winehq.org/show_bug.cgi?id=22709
--- Comment #1 from Night Nord NightNord@gmail.com 2010-05-15 12:16:48 --- Created an attachment (id=27989) --> (http://bugs.winehq.org/attachment.cgi?id=27989) Firefox installing plug-in log (+chain,+winhttp)
Ok, I've dropped '+crypt' debug as it was mostly useless and it takes up to 23Mb with it.
http://bugs.winehq.org/show_bug.cgi?id=22709
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
http://bugs.winehq.org/show_bug.cgi?id=22709
--- Comment #2 from Juan Lang juan_lang@yahoo.com 2010-05-15 19:18:33 --- Sigh. The trouble is, the certificate is invalid for tools.google.com according the RFCs: * is not a valid character in DNS names, therefore it's invalid in the DNS name form in the alternate name extension. If an alternate name extension is present, it MUST be checked (and * doesn't match anything.) So, either crypt32 is non-compliant, or winhttp is. Tests needed, of course.
http://bugs.winehq.org/show_bug.cgi?id=22709
--- Comment #3 from Night Nord NightNord@gmail.com 2010-05-16 06:31:54 --- You're speaking about native crypt32/winhttp now, right?
But it seems, that wget/curl/openssl/mozilla/opera/and dozens other software take this certificate as valid.
Also: http://en.wikipedia.org/wiki/Wildcard_DNS_record
http://bugs.winehq.org/show_bug.cgi?id=22709
--- Comment #4 from Juan Lang juan_lang@yahoo.com 2010-05-16 11:20:50 --- openssl doesn't support/validate the alterative name extension. And I'm familiar with wildcard DNS names in certificates. I've already stated why this one is invalid: a * character is valid in the certificate's common name, but not in the DNS name field. At least, not according to RFC 5280/1034.
I'm not disagreeing that this is a bug, I'm just stating that common practice appears to violate the RFCs. The RFCs are probably underspecified here, though. In any case, what's really needed is a test for this.
http://bugs.winehq.org/show_bug.cgi?id=22709
--- Comment #5 from Juan Lang juan_lang@yahoo.com 2010-05-19 20:24:03 --- Well, I'm full of bad information in this one: First, though it's off-topic for this bug, openssl does support the subject alternative name extension. (It doesn't support the name constraints extension, which is what I was thinking of when I piped up.) Second, RFC 1034 does describe wildcard RRs, so naturally the * is allowed in DNS names. I'd read somewhere that it wasn't, but I should have read the RFC more carefully.
I've got a patch series that demonstrates the problem that I'll send in. I may or may not have a chance to fix it before the code freeze.
http://bugs.winehq.org/show_bug.cgi?id=22709
--- Comment #6 from Juan Lang juan_lang@yahoo.com 2010-05-20 10:58:41 --- I sent a patch: http://www.winehq.org/pipermail/wine-patches/2010-May/088718.html
http://bugs.winehq.org/show_bug.cgi?id=22709
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #7 from Juan Lang juan_lang@yahoo.com 2010-05-21 12:18:02 --- Fixed by commit c79aad51cd21e1da941dcc003379957065253715.
http://bugs.winehq.org/show_bug.cgi?id=22709
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org 2010-05-21 14:40:22 --- Closing bugs fixed in 1.2-rc1.
-
wine-bugs@winehq.org