Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

[ curl-Bugs-676295 ] Host name is not checked against certificate

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Tue, 28 Jan 2003 11:39:40 -0800

Bugs item #676295, was opened at 2003-01-28 11:39
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=676295&group_id=976

Category: client module
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: Host name is not checked against certificate

Initial Comment:
curl 7.10.3 (i586-mandrake-linux-gnu) libcurl/7.10.3
OpenSSL/0.9.7 zlib/1.1.4

Using the cURL command line there is no way to check
the host name fully unless you pass the --capath or
--cacert commandline options

Code in main.c is....

      if(config->cacert || config->capath) {
        if (config->cacert)
          curl_easy_setopt(curl, CURLOPT_CAINFO,
config->cacert);
                                                      
                                                      
                                                
        if (config->capath)
          curl_easy_setopt(curl, CURLOPT_CAPATH,
config->capath);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER,
TRUE);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
      }
      else {
        if(config->insecure_ok)
          /* new stuff needed for libcurl 7.10 */
          curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER, FALSE);
                                                      
                                                      
                                                
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
      }

Shouldn't this be something like...

      if(config->cacert || config->capath) {
        if (config->cacert)
          curl_easy_setopt(curl, CURLOPT_CAINFO,
config->cacert);
                                                      
                                                      
                                                
        if (config->capath)
          curl_easy_setopt(curl, CURLOPT_CAPATH,
config->capath);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER,
TRUE);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
      }
      else {
        if(config->insecure_ok) {
          /* new stuff needed for libcurl 7.10 */
          curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER, FALSE);
          curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST, 1);
        }
        else {
          curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST, 2);
        }
      }

or am I missing something?

Hamish Mackenzie
hamish_at_firestream.co.uk

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=676295&group_id=976

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
Received on 2003-01-28