curl-library
Re: Question on SSL/TLS, OpenSSL, and simplessl.c
Date: Tue, 1 Oct 2013 11:32:09 +0200 (CEST)
On Tue, 1 Oct 2013, Jeffrey Walton wrote:
> Is the following performed by curl_easy_perform when using OpenSSL:
>
> * call SSL_get_peer_certificate and verify the certificate is non-NULL
Yes.
> * call SSL_get_verify_result and verify the result is X509_V_OK
Yes.
> * perform name matching (CN or SAN must match requested host)
>
> I think the last item can be controlled with CURLOPT_SSL_VERIFYHOST, so I
> would have to add it manually
It is enabled by default, but you can disable it if you really want to.
> *If* the subject's CN is not listed in the SAN, will libcurl fail the
> handshake when using CURLOPT_SSL_VERIFYHOST?
Yes, if SAN is used then CN is ignored. We even have a test case for it.
> I did not see an option to disable SSLv3, or an option to disable
> compression. Are they listed elsewhere? Or is there another way to use, for
> example, TLS 1.0 and above?
There's an option to ask for TLS1+ (which has some problems we'll fix, see
https://sourceforge.net/p/curl/bugs/1280/ and
https://github.com/bagder/curl/pull/79)
There's no option to disable TLS compression.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2013-10-01