cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: axTLS host verification

From: Aleksey Tulinov <aleksey.tulinov_at_gmail.com>
Date: Wed, 12 Jun 2013 08:24:24 +0300

On Sat, Jun 8, 2013 at 11:54 AM, Oscar Koeroo <okoeroo_at_nikhef.nl> wrote:

>> I've noticed that cURL changed behavior in 7.29 regarding axTLS
>> support. Before it was ignoring invalid certificates as requested, but
>> in 7.29 it gives "subjectAltName(s) do not match %s" error and ignores
>> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
>
> FWIW: The commit was introduced in the 7.28-1 release.
>

My mistake. I've compared 7.29 and 7.28, but not the intermediate versions.

> Well... it was meant to relate to the part "setting similar to the
> OpenSSL backend.". This was how curl handled the VERIFYHOST setting with
> an OpenSSL backend. axTLS was the first of a few SSL backends that
> needed fixing and decided to mimic the OpenSSL behavior.
>

That was my justification for introducing this patch, thank you for
detailed commit message. I also saw that verifyhost() is called in
OpenSSL backend if only this option is enabled, so i tried to bring
axTLS backed in accordance to declared behavior.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-06-12