/gist:fb2b0a6a0ce10550ab73 Secret
Last active
January 18, 2017 22:40
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 10.9 | |
| ==== | |
| ➜ ~ curl --version | |
| curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5 | |
| Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp | |
| Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz | |
| ➜ ~ ls -la /usr/local/opt/curl-ca-bundle/share/ca-bundle.crt | |
| -rw-r--r-- 1 rmoriz wheel 251339 19 Jan 2013 /usr/local/opt/curl-ca-bundle/share/ca-bundle.crt | |
| ➜ ~ curl -s https://213.133.107.227/ --cacert /usr/local/opt/curl-ca-bundle/share/ca-bundle.crt --head | |
| HTTP/1.1 200 OK | |
| Date: Thu, 28 Nov 2013 17:53:09 GMT | |
| Server: Apache | |
| X-Powered-By: PHP/5.3.27 | |
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | |
| Pragma: no-cache | |
| Set-Cookie: exp_last_visit=1070301189; expires=Fri, 28-Nov-2014 17:53:09 GMT; path=/ | |
| Set-Cookie: exp_last_activity=1385661189; expires=Fri, 28-Nov-2014 17:53:09 GMT; path=/ | |
| Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/ | |
| Last-Modified: Thu, 28 Nov 2013 17:53:09 GMT | |
| Content-Type: text/html; charset=UTF-8 | |
| ➜ ~ curl -s https://213.133.107.227/ --head | |
| HTTP/1.1 200 OK | |
| Date: Thu, 28 Nov 2013 17:58:40 GMT | |
| Server: Apache | |
| X-Powered-By: PHP/5.3.27 | |
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | |
| Pragma: no-cache | |
| Set-Cookie: exp_last_visit=1070301520; expires=Fri, 28-Nov-2014 17:58:40 GMT; path=/ | |
| Set-Cookie: exp_last_activity=1385661520; expires=Fri, 28-Nov-2014 17:58:40 GMT; path=/ | |
| Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/ | |
| Last-Modified: Thu, 28 Nov 2013 17:58:40 GMT | |
| Content-Type: text/html; charset=UTF-8 | |
| Ubuntu 12.04 LTS | |
| ================ | |
| # curl --version | |
| curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 | |
| Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp | |
| Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP | |
| # curl https://213.133.107.227/ | |
| curl: (51) SSL: certificate subject name '*.hetzner.de' does not match target host name '213.133.107.227' | |
| Ubuntu 13.10 | |
| ================ | |
| # curl --version | |
| curl 7.33.0 (x86_64-pc-linux-gnu) libcurl/7.33.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.28 librtmp/2.3 | |
| Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp | |
| Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP | |
| # curl https://213.133.107.227/ | |
| curl: (51) SSL: certificate subject name '*.hetzner.de' does not match target host name '213.133.107.227' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OSX 10.9 | |
| ======== | |
| # SETUP | |
| ➜ ~ curl -V | |
| curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5 | |
| Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp | |
| Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz | |
| ➜ ~ host moriz.de | |
| moriz.de has address 5.9.220.66 | |
| moriz.de has IPv6 address 2a01:4f8:160:5ffb:66::1 | |
| moriz.de mail is handled by 10 mail.moriz.net. | |
| # AS EXPECTED… | |
| ➜ ~ curl --head https://moriz.de/ -vvvvv | |
| * Adding handle: conn: 0x7f967280c000 | |
| * Adding handle: send: 0 | |
| * Adding handle: recv: 0 | |
| * Curl_addHandleToPipeline: length: 1 | |
| * - Conn 0 (0x7f967280c000) send_pipe: 1, recv_pipe: 0 | |
| * About to connect() to moriz.de port 443 (#0) | |
| * Trying 5.9.220.66... | |
| * Connected to moriz.de (5.9.220.66) port 443 (#0) | |
| * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
| * Server certificate: www.moriz.de (s04Lh1lTfzthqsjt) | |
| * Server certificate: StartCom Class 1 Primary Intermediate Server CA | |
| * Server certificate: StartCom Certification Authority | |
| > HEAD / HTTP/1.1 | |
| > User-Agent: curl/7.30.0 | |
| > Host: moriz.de | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 200 OK | |
| HTTP/1.1 200 OK | |
| * Server nginx/1.4.4 is not blacklisted | |
| < Server: nginx/1.4.4 | |
| Server: nginx/1.4.4 | |
| < Date: Thu, 28 Nov 2013 18:14:28 GMT | |
| Date: Thu, 28 Nov 2013 18:14:28 GMT | |
| < Content-Type: text/html; charset=utf-8 | |
| Content-Type: text/html; charset=utf-8 | |
| < Content-Length: 4386 | |
| Content-Length: 4386 | |
| < Connection: keep-alive | |
| Connection: keep-alive | |
| < Status: 200 OK | |
| Status: 200 OK | |
| < Cache-Control: max-age=43200, public | |
| Cache-Control: max-age=43200, public | |
| < X-UA-Compatible: IE=Edge,chrome=1 | |
| X-UA-Compatible: IE=Edge,chrome=1 | |
| < ETag: "e178715e47e8b2465f97ef17ccf49135" | |
| ETag: "e178715e47e8b2465f97ef17ccf49135" | |
| < X-Request-Id: d7978b32435d2c90cf87089d821b5178 | |
| X-Request-Id: d7978b32435d2c90cf87089d821b5178 | |
| < X-Runtime: 0.040031 | |
| X-Runtime: 0.040031 | |
| < X-Content-Digest: f67f461a51263e4d40f19d6058b12c6444d51a49 | |
| X-Content-Digest: f67f461a51263e4d40f19d6058b12c6444d51a49 | |
| < Age: 23288 | |
| Age: 23288 | |
| < X-Rack-Cache: fresh | |
| X-Rack-Cache: fresh | |
| < | |
| * Connection #0 to host moriz.de left intact | |
| # NOT AS EXPECTED… CERT is not valid for IP 5.9.220.66… | |
| # | |
| ➜ ~ curl --head https://5.9.220.66/ -vvvvv | |
| * About to connect() to 5.9.220.66 port 443 (#0) | |
| * Trying 5.9.220.66... | |
| * Adding handle: conn: 0x7fadc900aa00 | |
| * Adding handle: send: 0 | |
| * Adding handle: recv: 0 | |
| * Curl_addHandleToPipeline: length: 1 | |
| * - Conn 0 (0x7fadc900aa00) send_pipe: 1, recv_pipe: 0 | |
| * Connected to 5.9.220.66 (5.9.220.66) port 443 (#0) | |
| * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
| * Server certificate: www.moriz.de (s04Lh1lTfzthqsjt) | |
| * Server certificate: StartCom Class 1 Primary Intermediate Server CA | |
| * Server certificate: StartCom Certification Authority | |
| > HEAD / HTTP/1.1 | |
| > User-Agent: curl/7.30.0 | |
| > Host: 5.9.220.66 | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 200 OK | |
| HTTP/1.1 200 OK | |
| * Server nginx/1.4.4 is not blacklisted | |
| < Server: nginx/1.4.4 | |
| Server: nginx/1.4.4 | |
| < Date: Thu, 28 Nov 2013 18:14:38 GMT | |
| Date: Thu, 28 Nov 2013 18:14:38 GMT | |
| < Content-Type: text/html; charset=utf-8 | |
| Content-Type: text/html; charset=utf-8 | |
| < Connection: keep-alive | |
| Connection: keep-alive | |
| < Status: 200 OK | |
| Status: 200 OK | |
| < X-Frame-Options: SAMEORIGIN | |
| X-Frame-Options: SAMEORIGIN | |
| < X-XSS-Protection: 1; mode=block | |
| X-XSS-Protection: 1; mode=block | |
| < X-Content-Type-Options: nosniff | |
| X-Content-Type-Options: nosniff | |
| < X-UA-Compatible: chrome=1 | |
| X-UA-Compatible: chrome=1 | |
| < X-XHR-Current-Location: / | |
| X-XHR-Current-Location: / | |
| < ETag: "f6a7b19f401af748c990f34d26508d69" | |
| ETag: "f6a7b19f401af748c990f34d26508d69" | |
| < Cache-Control: max-age=0, private, must-revalidate | |
| Cache-Control: max-age=0, private, must-revalidate | |
| < Set-Cookie: request_method=GET; path=/ | |
| Set-Cookie: request_method=GET; path=/ | |
| < Set-Cookie: _domio_session=WThtRSs5TEVwUVZoc3UxR0htYmRTbEg3c1MyK1NyUzFXa0N1L1ZPc3ZtRGFIS0tiUXhLVm55S2dGcksxRWd3VmJiSUVhUitEYVVvZjFHU2lMMFVzWGh5VjAwQml4bnBGNDRUdUVPYmpTM2sxbE8rRUlqR0RsQVFIZ0lTcG5mbmFENzU2RVh1RW90amZBNzFvcmVZTGJMSUJNTEdidG5neUhFeVdsNlYyR2ZxRlRXUVZZNWFwUDlTejNBUnc5ak52LS1sTzNIVnFtcVg3TGxscllRQkkrb0tnPT0%3D--808a5f077abcca9bf5ac0bf0798529fc61c9613c; path=/; HttpOnly | |
| Set-Cookie: _domio_session=WThtRSs5TEVwUVZoc3UxR0htYmRTbEg3c1MyK1NyUzFXa0N1L1ZPc3ZtRGFIS0tiUXhLVm55S2dGcksxRWd3VmJiSUVhUitEYVVvZjFHU2lMMFVzWGh5VjAwQml4bnBGNDRUdUVPYmpTM2sxbE8rRUlqR0RsQVFIZ0lTcG5mbmFENzU2RVh1RW90amZBNzFvcmVZTGJMSUJNTEdidG5neUhFeVdsNlYyR2ZxRlRXUVZZNWFwUDlTejNBUnc5ak52LS1sTzNIVnFtcVg3TGxscllRQkkrb0tnPT0%3D--808a5f077abcca9bf5ac0bf0798529fc61c9613c; path=/; HttpOnly | |
| < X-Request-Id: dbc25387-2847-46eb-a597-0fa38410fbbe | |
| X-Request-Id: dbc25387-2847-46eb-a597-0fa38410fbbe | |
| < X-Runtime: 0.010834 | |
| X-Runtime: 0.010834 | |
| < X-Rack-Cache: miss | |
| X-Rack-Cache: miss | |
| < | |
| * Connection #0 to host 5.9.220.66 left intact |
Interestingly, this does not work for mismatched hostnames – https://213.133.107.227.xip.io/ fails even though https://213.133.107.227/ is accepted. I'm now somewhat curious as to what could have produced that particular failure mode but presumably it wasn't noticed because Safari does its own checks and the QA team obviously doesn't test either this case or the lower-level OpenSSL functions directly.
FYI: reported to Apple in November 2013
Background is even worse: https://news.ycombinator.com/item?id=7281170
I wish I could say sitting on it for a year was surprising but I've reported three MITM bugs to Apple and each of them took around a year to be fixed. Obviously nothing has changed since 2004.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HTTP/1.1 200 OK
Date: Thu, 28 Nov 2013 18:01:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: exp_last_visit=1070301695; expires=Fri, 28-Nov-2014 18:01:35 GMT; path=/
Set-Cookie: exp_last_activity=1385661695; expires=Fri, 28-Nov-2014 18:01:35 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; path=/
Last-Modified: Thu, 28 Nov 2013 18:01:35 GMT
Content-Type: text/html; charset=UTF-8