cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Finer control over certificate verification in SSL

From: Don Dwiggins <don_at_dondwiggins.net>
Date: Wed, 02 Jun 2010 06:07:29 -0700

Daniel Stenberg writes:
> I agree. subjectAltName is what was made for exactly that kind of use
> case, and abusing CN or doing weird comparisons is not what libcurl will
> do on its own.

Can you elaborate a bit on this? Should I then put the port number into
subjectAltName in the cert, leaving the domain name in CN? Or should I
put the whole thing (domainname:port) in subjectAltName and leave CN blank?

>
> However, you _can_ do your own verification, although that requires that
> you use a libcurl built with OpenSSL and the CURLOPT_SSL_CTX_FUNCTION
> option. See the curlx.c example:
>
> http://curl.haxx.se/libcurl/c/curlx.html
>

This would be helpful, except I'm stuck in PHP, which doesn't seem to
expose that option.

-- 
Don Dwiggins
Advanced Publishing Technology
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-06-02