cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Finer control over certificate verification in SSL

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 2 Jun 2010 08:49:41 +0200 (CEST)

On Tue, 1 Jun 2010, Howard Chu wrote:

>> multiple backend serves may exist on the same machine, distinguished by
>> their port numbers. So, I set the CN in the server certificate to something
>> like "foo.bar.com:4060".
>
> No client in the world will handle that. The CN is supposed to contain the
> FQDN, nothing else. Why can't you use subjectAltName and put each backend
> server on a different virtual IP address?

I agree. subjectAltName is what was made for exactly that kind of use case,
and abusing CN or doing weird comparisons is not what libcurl will do on its
own.

However, you _can_ do your own verification, although that requires that you
use a libcurl built with OpenSSL and the CURLOPT_SSL_CTX_FUNCTION option. See
the curlx.c example:

http://curl.haxx.se/libcurl/c/curlx.html

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2010-06-02

This message: [ Message body ]
Next message: Daniel Stenberg: "RE: GetTickCount vs QueryPerformanceCounter"
Previous message: Howard Chu: "Re: Finer control over certificate verification in SSL"
In reply to: Howard Chu: "Re: Finer control over certificate verification in SSL"
Next in thread: Don Dwiggins: "Re: Finer control over certificate verification in SSL"
Reply: Don Dwiggins: "Re: Finer control over certificate verification in SSL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]