Bug#874648: libwww-perl: LWP makes case-sensitive SSL-checkings on Wildcard Certificates

Cord Beermann cord at debian.org
Fri Sep 8 12:46:36 UTC 2017 

Package: libwww-perl
Version: 6.15-2
Severity: important
Tags: upstream

Hello, 

I came over a problem with fetching things from a Webserver which is
protected with a Wildcard-Certificate.

Example:
$ GET -Sd https://WWW.WEBMILES.de/
GET https://WWW.WEBMILES.de/
301 Moved Permanently

$ GET -Sd https://WWW.WEBMILES.DE/
GET https://WWW.WEBMILES.DE/
500 Can't connect to WWW.WEBMILES.DE:443

If the Hostname is written out in all Caps, the Matching against a
Wildcard-Certificate isn't working. If one character is lowercase it
works.

As DNS-Names are case-insensitive this should be a bug.
curl reports this:
*  subject: OU=Domain Control Validated; CN=*.webmiles.de
*  subjectAltName: host "WWW.WEBMILES.DE" matched cert's "*.webmiles.de"

The problem only seems to pop-up when the Webserver has a
Wildcard-Certificate.

Cord


-- System Information:
Debian Release: buster/sid
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE= (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libwww-perl depends on:
ii  ca-certificates             20170717
ii  libencode-locale-perl       1.05-1
ii  libfile-listing-perl        6.04-1
ii  libhtml-parser-perl         3.72-3+b2
ii  libhtml-tagset-perl         3.20-3
ii  libhtml-tree-perl           5.03-2
ii  libhttp-cookies-perl        6.01-1
ii  libhttp-date-perl           6.02-1
ii  libhttp-message-perl        6.11-1
ii  libhttp-negotiate-perl      6.00-2
ii  liblwp-mediatypes-perl      6.02-1
ii  liblwp-protocol-https-perl  6.07-2
ii  libnet-http-perl            6.16-1
ii  liburi-perl                 1.72-1
ii  libwww-robotrules-perl      6.01-1
ii  netbase                     5.4
ii  perl                        5.26.0-7

Versions of packages libwww-perl recommends:
ii  libhtml-form-perl    6.03-1
pn  libhtml-format-perl  <none>
ii  libhttp-daemon-perl  6.01-1
ii  libmailtools-perl    2.18-1

Versions of packages libwww-perl suggests:
pn  libauthen-ntlm-perl  <none>

-- no debconf information


--

More information about the pkg-perl-maintainers mailing list