cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Patch: OpenSSL Server Name Indication value should match custom Host header

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Fri, 05 Nov 2010 08:30:37 +0100

On 11/04/2010 02:37 PM, Hongli Lai wrote:
> On Thu, Nov 4, 2010 at 2:19 PM, Daniel Stenberg<daniel_at_haxx.se> wrote:
>> Yes, that's exactly what I meant. Sorry for expressing myself sloppy. Thanks
>> a lot for the update, I've now committed and pushed this fix!
> Great, thanks. :)
>
> My patch only deals with OpenSSL. I'll work on GnuTLS support next.
>
> There's also an issue with SSL host name verification. Right now it
> doesn't work either with custom Host headers. I tried to fix this in
> ssluse.c verifyhost() but for some reason it wouldn't work correctly:
> curl https://ip-address-of-github -H "Host: github.com"
> fails with the message that github.com doesn't match the
> "*.github.com" value in the certificate.
github.com does not match *.github.com

    Names may contain the wildcard
    character * which is considered to match any single domain name
    component or component fragment. E.g., *.a.com matches foo.a.com but
    not bar.foo.a.com. f*.com matches foo.com but not bar.com.

> It doesn't really matter to me because neither of my use cases really
> care about host name verification but I thought you might want to
> comment on this.
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-11-05