Bug#729965: libcurl3 7.21.0-2.1+squeeze5 --insecure regression

Tue, 19 Nov 2013 08:00:42 -0800 

Package: libcurl3
Version: 7.21.0-2.1+squeeze5
Severity: important


Hi, I believe I've found a regression in the recent libcurl3 DSA update.  
Basically, it doesn't seem to be respecting the --insecure option in all 
cases.

This now fails:

# aptitude -PV install libcurl3=7.21.0-2.1+squeeze5
# curl -s -S --insecure https://backend-host-that-does-not-match-service-name > 
/dev/null
curl: (51) SSL peer certificate or SSH remote key was not OK

But this succeeds:

# aptitude -PV install libcurl3=7.21.0-2.1+squeeze4
# curl -s -S --insecure https://backend-host-that-does-not-match-service-name > 
/dev/null


Unfortunately, I haven't found a good test case for it at publicly 
accessible internet sites.  For instance, these still work as expected:

# curl -s -S --insecure https://74.125.225.40 > /dev/null
# curl -s -S https://74.125.225.40 > /dev/null
curl: (51) SSL: certificate subject name '*.google.com' does not match target 
host name '74.125.225.40'

So, I guess poke me offline if you need some extra details to help track 
this down.

I'll also note that wheezy versions don't seem to have this issue.

Thanks,
Brian

-- System Information:
Debian Release: 6.0.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libcurl3 depends on:
ii  ca-certificates    20090814+nmu3squeeze1 Common CA certificates
ii  libc6              2.11.3-4              Embedded GNU C Library: Shared lib
ii  libgssapi-krb5-2   1.8.3+dfsg-4squeeze7  MIT Kerberos runtime libraries - k
ii  libidn11           1.15-2                GNU Libidn library, implementation
ii  libldap-2.4-2      2.4.23-7.3            OpenLDAP libraries
ii  libssh2-1          1.2.6-1               SSH2 client-side library
ii  libssl0.9.8        0.9.8o-4squeeze14     SSL shared libraries
ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime

libcurl3 recommends no packages.

libcurl3 suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to