cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Sun, 4 Nov 2012 11:19:34 +0100

Hi,

2012/11/4 Oscar Koeroo <okoeroo_at_nikhef.nl>:
>>> It's RFC2818 compliant out of the box, like NSS. It's the only SSL
>>> security
>>> opt-out SSL interface I've seen. To switch it off you'll need to set the
>>> flag SCH_CRED_NO_SERVERNAME_CHECK according to
>>> http://msdn.microsoft.com/en-us/library/aa923430.aspx :
>>
>> Yes, and that is actually done for IP addresses and if verifyhost is
>> smaller than 2.
>
> Yes, this part I understand. If you detect it's an IP, don't bother to do
> the verification. This is something which is covered internally in other SSL
> stacks. Does this mean that the Schannel library will fail to connect if
> there are Subject Alt Names IP-addresses in the certificate?

I don't know, I copied this specific check from another curl SSL backend.

> I think it's totally normal to not succeed setting up an SSL connection if
> there is no way you can compare binding information of the certificate in
> the SSL handshake and the underlying transport layer.

Sure, but there should be a way to ignore this and still setup the connection.

> The code snippet disables a check with a SubjectAltNames IP-address which
> might be supported by the Schannel library and/or used in a host certificate
> in deployments.
>
> I'm inclined to remove the check on IP-address input in cUrl around this
> part because I think cUrl should simply not be responsible for this choice.

Please make sure that you test that Schannel is actually able to
handle IP addresses before removing this check.

> Do you have documentation backing up this part?
>
> Quoting
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa379810%28v=vs.85%29.aspx
> it says:
>
> "SCH_CRED_NO_SERVERNAME_CHECK: Client only. Prevent Schannel from comparing
> the supplied target name with the subject names in server certificates."
>
> If I Google the SCH_CRED_NO_SERVERNAME_CHECK with the term SNI I only get
> cUrl code and maillist hits. Nothing on the SNI (Server Name Indication)
> side effect here too
> http://msdn.microsoft.com/en-us/library/aa923156.aspx
>
> I don't have a Windows Server 2012 (which seems to introduce TLS support for
> Server Name Indicator (SNI) extensions:
> http://technet.microsoft.com/en-us/library/hh831381.aspx) to play with to
> Wireshark it to confirming the SCH_CRED_NO_SERVERNAME_CHECK. I doubt this is
> really what is going on in Schannel.

I think SNI is supported in Schannel since Windows XP SP3, but I am
testing on Windows 7.

> I hope you can dig up info about this. This is interesting stuff as SNI
> becomes popular.

Attached you will find a small Wireshark dump containing two Client
Hello packets. Once SCH_CRED_NO_SERVERNAME_CHECK is supplied to
Schannel it does not send the server_name extension and therefore
disables SNI. This makes sense since Schannel will not care about the
server name, why should it bother sending it in the first place?

Best regards,
Marc

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2012-11-04