[Webkit-unassigned] [Bug 208806] New: [Curl] WKCertificateInfoGetVerificationError function doesn't return an error code when the browser accesses https://wrong.host.badssl.com
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 9 06:40:19 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=208806
Bug ID: 208806
Summary: [Curl] WKCertificateInfoGetVerificationError function
doesn't return an error code when the browser accesses
https://wrong.host.badssl.com
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
Assignee: webkit-unassigned at lists.webkit.org
Reporter: Takashi.Komori at sony.com
wrong.host.badssl.com is test site which provides wrong cert.
When curl port accesses the site, browser warns the cert is wrong but when the browser calls WKCertificateInfoGetVerificationError, it doesn't return error code.
This is because the process of TLS verification has two stages below, and curl port checks only the result of the first stage.
stage 1) OpenSSL checks the validity of the certification itself and the certification chain.
stage 2) curl checks the content of the cert against common name.
wrong.host.badssl.com provides wildcard cert for *.badssl.com and the invalidity is checked on stage 2.
Now curl port doesn't use the result of stage 2, so WKCertificateInfoGetVerificationError function doesn't return error code.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200309/83308a76/attachment.htm>
More information about the webkit-unassigned
mailing list