curl-library
Question on SSL/TLS, OpenSSL, and simplessl.c
Date: Tue, 1 Oct 2013 02:43:52 -0400
I hope these are quick questions. I built libcurl with OpenSSL per INSTALL.
The easy option from simplessl.c
(http://curl.haxx.se/libcurl/c/simplessl.html) makes the call:
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
Is the following performed by curl_easy_perform when using OpenSSL:
* call SSL_get_peer_certificate and verify the certificate is non-NULL
* call SSL_get_verify_result and verify the result is X509_V_OK
* perform name matching (CN or SAN must match requested host)
I think the last item can be controlled with CURLOPT_SSL_VERIFYHOST,
so I would have to add it manually (boy there's a lot of curl
options).
*If* the subject's CN is not listed in the SAN, will libcurl fail the
handshake when using CURLOPT_SSL_VERIFYHOST?
I did not see an option to disable SSLv3, or an option to disable
compression. Are they listed elsewhere? Or is there another way to
use, for example, TLS 1.0 and above?
Thanks in advance.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-10-01