[openssl-users] Problems with cert authentication under Turkish locale

Jakob Bohm jb-openssl at wisemo.com
Tue Nov 1 17:15:01 UTC 2016 

On 01/11/2016 17:42, Viktor Dukhovni wrote:
> On Tue, Nov 01, 2016 at 04:28:18PM +0100, Sebastian Kloska wrote:
>
> [ Redirecting to openssl-users. ]
(I cannot see the original posts, as I am only subscribed
to -users).
>> We have problems authenticating a a CERT while LC_CTYPE is set to
>> tr_TR.UTF-8
>>
>> The issue is triggered in libcurl but it seems to come out of libssl. It
>> seems to be
Note that the Turkish UNICODE locales have the unusual property
that the uppercase/lowercase routines do not match ASCII "I" to
ASCII "i", to cater to the distinguishing between "dotted" and
"dotless" letter I in Turkish natural language.  It is the only
known locales to case map an ASCII character differently than the
basic ASCII algorithm presumed by the standard for Internet host
names.

So something, in either OpenSSL or curl (or a combination) may
(on the OPs system) be using a locale-sensitive function to
compare e.g. "hotmail.com" and "HOTMAIL.COM", where some kind
of locale-neutral function should be used to avoid the special
handling that the Unicode standard specifies for the letter "I"
in Turkish.

> I see nothing in the OpenSSL X.509 stack that would be sensitive
> to this locale.  In particular, with OpenSSL >= 1.0.2 doing the
> hostname check, both:
>
>      LANG=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname www.hotmail.com
>
> and
>
>      LC_CTYPE=tr_TR.UTF-8 /Volumes/gitvol/viktor/ssl/OpenSSL_1_0_2/bin/openssl s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem -verify_hostname www.hotmail.com
>
> return success.  OpenSSL 1.0.1 and earlier do not do hostname
> checks, that's left to the application.  With 1.0.1 the chain alone
> verifies just fine:
>
>      $ LC_CTYPE=tr_TR.UTF-8 /.../OpenSSL_1_0_1/bin/openssl s_client -connect www.hotmail.com:443 -CAfile /tmp/bundle.pem
>      CONNECTED(00000003)
>      depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
>      verify return:1
>      depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 EV SSL CA - G3
>      verify return:1
>      depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Washington, businessCategory = Private Organization, serialNumber = 600413485, C = US, postalCode = 98052, ST = Washington, L = Redmond, street = 1 Microsoft Way, O = Microsoft Corporation, OU = Outlook Kahuna BAY-A Jun2015, CN = mail.live.com
>      verify return:1
>      ---
>      Certificate chain
>       0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A Jun2015/CN=mail.live.com
>         i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
>       1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
>         i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
>      ---
>      Server certificate
>      -----BEGIN CERTIFICATE-----
>      ...
>      -----END CERTIFICATE-----
>      subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna BAY-A Jun2015/CN=mail.live.com
>      issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
>      ---
>      No client certificate CA names sent
>      ---
>      SSL handshake has read 5342 bytes and written 511 bytes
>      ---
>      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>      Server public key is 2048 bit
>      Secure Renegotiation IS supported
>      Compression: NONE
>      Expansion: NONE
>      SSL-Session:
> 	Protocol  : TLSv1.2
> 	Cipher    : ECDHE-RSA-AES256-SHA384
> 	Session-ID: ...
> 	Session-ID-ctx:
> 	Master-Key: ...
> 	Key-Arg   : None
> 	PSK identity: None
> 	PSK identity hint: None
> 	SRP username: None
> 	Start Time: 1478018209
> 	Timeout   : 300 (sec)
> 	Verify return code: 0 (ok)
>
> So it seems that any problem lies with libcurl.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list