cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Patch: OpenSSL Server Name Indication value should match custom Host header

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 5 Nov 2010 11:15:17 +0100 (CET)

On Fri, 5 Nov 2010, Hongli Lai wrote:

> I like the --resolve option. It does look like the cleanest way to solve
> this problem (including certificate matching) is to add a feature to Curl to
> override DNS resolution for a specified list of domains, kind of like an
> in-process /etc/hosts alternative.

I first thought we'd add a CURLOPT_HOSTNAME to feed in the name to use for SNI
and cert checks, but now I think a CURLOPT_RESOLVE list is much better.

That way, we can allow multiple connects and redirects etc to the names given
in the CURLOPT_RESOLVE list while everything still appears correct. And in
impact of the general libcurl code should be rather small since we only really
need to modify the resolving code and nothing in the SSL or HTTP layers.

Yes, I like this.

A question is if we should use CURLOPT_RESOLVE to add/remove one host name at
a time, or if we should provide a linked list of changes?

FYI: I'll be reverting the SNI/cert check changes for Host: that I pushed
yesterday as they were premature.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-11-05