cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Question on SSL/TLS, OpenSSL, and simplessl.c

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 1 Oct 2013 11:32:09 +0200 (CEST)

On Tue, 1 Oct 2013, Jeffrey Walton wrote:

> Is the following performed by curl_easy_perform when using OpenSSL:
>
> * call SSL_get_peer_certificate and verify the certificate is non-NULL

Yes.

> * call SSL_get_verify_result and verify the result is X509_V_OK

Yes.

> * perform name matching (CN or SAN must match requested host)
>
> I think the last item can be controlled with CURLOPT_SSL_VERIFYHOST, so I
> would have to add it manually

It is enabled by default, but you can disable it if you really want to.

> *If* the subject's CN is not listed in the SAN, will libcurl fail the
> handshake when using CURLOPT_SSL_VERIFYHOST?

Yes, if SAN is used then CN is ignored. We even have a test case for it.

> I did not see an option to disable SSLv3, or an option to disable
> compression. Are they listed elsewhere? Or is there another way to use, for
> example, TLS 1.0 and above?

There's an option to ask for TLS1+ (which has some problems we'll fix, see
https://sourceforge.net/p/curl/bugs/1280/ and
https://github.com/bagder/curl/pull/79)

There's no option to disable TLS compression.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-10-01