cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Sun, 4 Nov 2012 09:10:25 +0100

Hi,

2012/11/4 Oscar Koeroo <okoeroo_at_nikhef.nl>
> lib/curl_schannel.c
> VerifyHost is not used

I don't think this is correct. Please see line 163.

> It's RFC2818 compliant out of the box, like NSS. It's the only SSL
> security
> opt-out SSL interface I've seen. To switch it off you'll need to set the
> flag SCH_CRED_NO_SERVERNAME_CHECK according to
> http://msdn.microsoft.com/en-us/library/aa923430.aspx :

Yes, and that is actually done for IP addresses and if verifyhost is
smaller than 2.

>
> 159 if(Curl_inet_pton(AF_INET, conn->host.name, &addr) ||
> 160 #ifdef ENABLE_IPV6
> 161 Curl_inet_pton(AF_INET6, conn->host.name, &addr6) ||
> 162 #endif
> 163 data->set.ssl.verifyhost < 2) {
> 164 schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
> 165 infof(data, "schannel: using IP address, disable SNI servername
> "
> 166 "check\n");
> 167 }
>
> Note: The info statement of SNI is wrong, it should've said SAN or
> something
> related to the common name and/or subject alt names.

You may want to look at the context of the name checks being disabled.
SCH_CRED_NO_SERVERNAME_CHECK also disables SNI and that is required
for IP address based connections without a DNS name. Of course the
info statement could include the general fact that name validation is
completely disabled, too. But it's not "wrong".

Best regards,
Marc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-11-04