Today many hosters, especially when using shared servers, do now allow to upload certificates to the users site. This leads to certificate errors if one uses curl to upload the site using SSL as the certificate does not match the actual site server name found in the URL.

curl: (51) SSL: no alternative certificate subject name matches target host name ‘xxxx’

I hope I did not miss something, but as far as I know, currently the only way to get around this is to use the –insecure option. I would like to make a proposal for an alternate method which would increase the security of such connections:

Assume that the a user with “mydomain.net” is hosting his site at “hoster.com” on a share server. Most likely when the user tries to upload to “somesite.mydomain.com” he will get the above error because the hoster uses a certificate for “*.hoster.com” which does not mydomain.net .

Since the hoster.com certificate still is signed by a trusted CA it would be better to validate that certificate instead of ignoring the certificate completely. My suggestion would be to have an option like:

curl … --alternate-server-name mydomain.hoster.com https://somesite.mydomain.net/ # --alternate-server-name is an example, there might be better alternative names for the option

This would check the proposed certificate against somesite.mydomain.net as well as against mydomain.hoster.com. The later would match the certificate example above and be accepted. Any non matching certificate will again lead to the error. In this example “mydomain.hoster.com” could of course be anything matching “*.hoster.com” like www.hoster.com . The same should work with an IP address provided the certificate presents one

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-22