[Webkit-unassigned] [Bug 208806] New: [Curl] WKCertificateInfoGetVerificationError function doesn't return an error code when the browser accesses https://wrong.host.badssl.com

Mon Mar 9 06:40:19 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=208806

            Bug ID: 208806
           Summary: [Curl] WKCertificateInfoGetVerificationError function
                    doesn't return an error code when the browser accesses
                    https://wrong.host.badssl.com
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Takashi.Komori at sony.com

wrong.host.badssl.com is test site which provides wrong cert.
When curl port accesses the site, browser warns the cert is wrong but when the browser calls WKCertificateInfoGetVerificationError, it doesn't return error code.

This is because the process of TLS verification has two stages below, and curl port checks only the result of the first stage.
stage 1) OpenSSL checks the validity of the certification itself and the certification chain.
stage 2) curl checks the content of the cert against common name.

wrong.host.badssl.com provides wildcard cert for *.badssl.com and the invalidity is checked on stage 2.
Now curl port doesn't use the result of stage 2, so WKCertificateInfoGetVerificationError function doesn't return error code.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200309/83308a76/attachment.htm>