iojs.org icon indicating copy to clipboard operation
iojs.org copied to clipboard
verified publisher icon nodejs

cURL fails sure due to SSL certificate mismatch

Open xzyfer opened this issue 9 years ago • 0 comments

This appears to have broken since Nov 12, 2015.

This breaks all node version manager tools on centos. This can be worked around by using -k flag but currently no version managers allow user supplied cURL flags. Using curlrc works for some version managers, but specifically nvm opts out with the -k flag.

Using centos 5 and the latest available version of cURL.

$ curl --version
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Fails to validate the SSL cert for iojs.org

$ curl -v https://iojs.org
 ---> Running in f34d840e3785
* About to connect() to iojs.org port 443
*   Trying 104.131.173.199... connected
* Connected to iojs.org (104.131.173.199) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.nodejs.org
*    start date: 2015-11-08 00:00:00 GMT
*    expire date: 2017-08-22 23:59:59 GMT
* SSL: certificate subject name '*.nodejs.org' does not match target host name 'iojs.org'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

curl: (51) SSL: certificate subject name '*.nodejs.org' does not match target host name 'iojs.org'

The problem doesn't appear to exist on OS X El Capitan which uses a newer version of cURL.

$ curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

$ curl -v https://iojs.org
* Rebuilt URL to: https://iojs.org/
*   Trying 104.131.173.199...
*   Trying 2604:a880:800:10::126:a001...
* Immediate connect fail for 2604:a880:800:10::126:a001: No route to host
* Connected to iojs.org (104.131.173.199) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.iojs.org
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> GET / HTTP/1.1
> Host: iojs.org
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Mon, 25 Jan 2016 00:40:07 GMT
< Content-Type: text/html
< Content-Length: 154
< Location: https://iojs.org/en/
< Connection: keep-alive
< Strict-Transport-Security: max-age=63072000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
<
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host iojs.org left intact

xzyfer avatar Jan 25 '16 00:01 xzyfer