gistfile1.txt

10.9
====

➜  ~  curl --version
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz 

➜  ~  ls -la /usr/local/opt/curl-ca-bundle/share/ca-bundle.crt
-rw-r--r--  1 rmoriz  wheel  251339 19 Jan  2013 /usr/local/opt/curl-ca-bundle/share/ca-bundle.crt

➜  ~  curl -s https://213.133.107.227/ --cacert /usr/local/opt/curl-ca-bundle/share/ca-bundle.crt  --head      
HTTP/1.1 200 OK
Date: Thu, 28 Nov 2013 17:53:09 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: exp_last_visit=1070301189; expires=Fri, 28-Nov-2014 17:53:09 GMT; path=/
Set-Cookie: exp_last_activity=1385661189; expires=Fri, 28-Nov-2014 17:53:09 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/
Last-Modified: Thu, 28 Nov 2013 17:53:09 GMT
Content-Type: text/html; charset=UTF-8

➜  ~  curl -s https://213.133.107.227/ --head
HTTP/1.1 200 OK
Date: Thu, 28 Nov 2013 17:58:40 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: exp_last_visit=1070301520; expires=Fri, 28-Nov-2014 17:58:40 GMT; path=/
Set-Cookie: exp_last_activity=1385661520; expires=Fri, 28-Nov-2014 17:58:40 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/
Last-Modified: Thu, 28 Nov 2013 17:58:40 GMT
Content-Type: text/html; charset=UTF-8


Ubuntu 12.04 LTS
================
# curl --version
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 

# curl https://213.133.107.227/
curl: (51) SSL: certificate subject name '*.hetzner.de' does not match target host name '213.133.107.227'


Ubuntu 13.10
================
# curl --version
curl 7.33.0 (x86_64-pc-linux-gnu) libcurl/7.33.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 

# curl https://213.133.107.227/
curl: (51) SSL: certificate subject name '*.hetzner.de' does not match target host name '213.133.107.227'

gistfile2.txt

OSX 10.9
========

# SETUP

➜  ~  curl -V 
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz 

➜  ~  host moriz.de                       
moriz.de has address 5.9.220.66
moriz.de has IPv6 address 2a01:4f8:160:5ffb:66::1
moriz.de mail is handled by 10 mail.moriz.net.



# AS EXPECTED…

➜  ~  curl --head https://moriz.de/ -vvvvv
* Adding handle: conn: 0x7f967280c000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f967280c000) send_pipe: 1, recv_pipe: 0
* About to connect() to moriz.de port 443 (#0)
*   Trying 5.9.220.66...
* Connected to moriz.de (5.9.220.66) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* Server certificate: www.moriz.de (s04Lh1lTfzthqsjt)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: moriz.de
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx/1.4.4 is not blacklisted
< Server: nginx/1.4.4
Server: nginx/1.4.4
< Date: Thu, 28 Nov 2013 18:14:28 GMT
Date: Thu, 28 Nov 2013 18:14:28 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 4386
Content-Length: 4386
< Connection: keep-alive
Connection: keep-alive
< Status: 200 OK
Status: 200 OK
< Cache-Control: max-age=43200, public
Cache-Control: max-age=43200, public
< X-UA-Compatible: IE=Edge,chrome=1
X-UA-Compatible: IE=Edge,chrome=1
< ETag: "e178715e47e8b2465f97ef17ccf49135"
ETag: "e178715e47e8b2465f97ef17ccf49135"
< X-Request-Id: d7978b32435d2c90cf87089d821b5178
X-Request-Id: d7978b32435d2c90cf87089d821b5178
< X-Runtime: 0.040031
X-Runtime: 0.040031
< X-Content-Digest: f67f461a51263e4d40f19d6058b12c6444d51a49
X-Content-Digest: f67f461a51263e4d40f19d6058b12c6444d51a49
< Age: 23288
Age: 23288
< X-Rack-Cache: fresh
X-Rack-Cache: fresh

< 
* Connection #0 to host moriz.de left intact





# NOT AS EXPECTED… CERT is not valid for IP 5.9.220.66…
#

➜  ~  curl --head https://5.9.220.66/ -vvvvv
* About to connect() to 5.9.220.66 port 443 (#0)
*   Trying 5.9.220.66...
* Adding handle: conn: 0x7fadc900aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fadc900aa00) send_pipe: 1, recv_pipe: 0
* Connected to 5.9.220.66 (5.9.220.66) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* Server certificate: www.moriz.de (s04Lh1lTfzthqsjt)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: 5.9.220.66
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx/1.4.4 is not blacklisted
< Server: nginx/1.4.4
Server: nginx/1.4.4
< Date: Thu, 28 Nov 2013 18:14:38 GMT
Date: Thu, 28 Nov 2013 18:14:38 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Connection: keep-alive
Connection: keep-alive
< Status: 200 OK
Status: 200 OK
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
X-UA-Compatible: chrome=1
< X-XHR-Current-Location: /
X-XHR-Current-Location: /
< ETag: "f6a7b19f401af748c990f34d26508d69"
ETag: "f6a7b19f401af748c990f34d26508d69"
< Cache-Control: max-age=0, private, must-revalidate
Cache-Control: max-age=0, private, must-revalidate
< Set-Cookie: request_method=GET; path=/
Set-Cookie: request_method=GET; path=/
< Set-Cookie: _domio_session=WThtRSs5TEVwUVZoc3UxR0htYmRTbEg3c1MyK1NyUzFXa0N1L1ZPc3ZtRGFIS0tiUXhLVm55S2dGcksxRWd3VmJiSUVhUitEYVVvZjFHU2lMMFVzWGh5VjAwQml4bnBGNDRUdUVPYmpTM2sxbE8rRUlqR0RsQVFIZ0lTcG5mbmFENzU2RVh1RW90amZBNzFvcmVZTGJMSUJNTEdidG5neUhFeVdsNlYyR2ZxRlRXUVZZNWFwUDlTejNBUnc5ak52LS1sTzNIVnFtcVg3TGxscllRQkkrb0tnPT0%3D--808a5f077abcca9bf5ac0bf0798529fc61c9613c; path=/; HttpOnly
Set-Cookie: _domio_session=WThtRSs5TEVwUVZoc3UxR0htYmRTbEg3c1MyK1NyUzFXa0N1L1ZPc3ZtRGFIS0tiUXhLVm55S2dGcksxRWd3VmJiSUVhUitEYVVvZjFHU2lMMFVzWGh5VjAwQml4bnBGNDRUdUVPYmpTM2sxbE8rRUlqR0RsQVFIZ0lTcG5mbmFENzU2RVh1RW90amZBNzFvcmVZTGJMSUJNTEdidG5neUhFeVdsNlYyR2ZxRlRXUVZZNWFwUDlTejNBUnc5ak52LS1sTzNIVnFtcVg3TGxscllRQkkrb0tnPT0%3D--808a5f077abcca9bf5ac0bf0798529fc61c9613c; path=/; HttpOnly
< X-Request-Id: dbc25387-2847-46eb-a597-0fa38410fbbe
X-Request-Id: dbc25387-2847-46eb-a597-0fa38410fbbe
< X-Runtime: 0.010834
X-Runtime: 0.010834
< X-Rack-Cache: miss
X-Rack-Cache: miss

< 
* Connection #0 to host 5.9.220.66 left intact

HTTP/1.1 200 OK
Date: Thu, 28 Nov 2013 18:01:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: exp_last_visit=1070301695; expires=Fri, 28-Nov-2014 18:01:35 GMT; path=/
Set-Cookie: exp_last_activity=1385661695; expires=Fri, 28-Nov-2014 18:01:35 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/
Last-Modified: Thu, 28 Nov 2013 18:01:35 GMT
Content-Type: text/html; charset=UTF-8

Interestingly, this does not work for mismatched hostnames – https://213.133.107.227.xip.io/ fails even though https://213.133.107.227/ is accepted. I'm now somewhat curious as to what could have produced that particular failure mode but presumably it wasn't noticed because Safari does its own checks and the QA team obviously doesn't test either this case or the lower-level OpenSSL functions directly.

FYI: reported to Apple in November 2013

Background is even worse: https://news.ycombinator.com/item?id=7281170

I wish I could say sitting on it for a year was surprising but I've reported three MITM bugs to Apple and each of them took around a year to be fixed. Obviously nothing has changed since 2004.