cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [curl] Don't omit CN verification in SChannel when an IP address is used. (#94)

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Mon, 24 Feb 2014 22:26:12 +0100

Hello everyone,

I have just merged and pushed a slightly modified version of David's
pull request to the main repository.

David, thanks for spotting this. Since the change has some side-effects
as SChannel and the CryptoAPI are not fully compliant with RFC 2818
section 3.1, I added the following note to the commit message:
SChannel and CryptoAPI do not support the iPAddress subjectAltName
according to RFC 2818. If present, SChannel will first compare the
IP address to the dNSName subjectAltNames and then fallback to the
most specific Common Name in the Subject field of the certificate.

This means that after this change curl will not connect to SSL/TLS
hosts as long as the IP address is not specified in the SAN or CN
of the server certificate or the verifyhost option is disabled.

Best regards,
Marc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-24

This message: [ Message body ]
Next message: Steve Holme: "RE: --disable-manual broken"
Previous message: Dan Fandrich: "Re: Regression on FTP connections with --anyauth"
Next in thread: Daniel Stenberg: "Re: [curl] Don't omit CN verification in SChannel when an IP address is used. (#94)"
Reply: Daniel Stenberg: "Re: [curl] Don't omit CN verification in SChannel when an IP address is used. (#94)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]