cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [curl] Don't omit CN verification in SChannel when an IP address is used. (#94)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 25 Feb 2014 22:44:17 +0100 (CET)

On Mon, 24 Feb 2014, Marc Hoersken wrote:

> David, thanks for spotting this. Since the change has some side-effects as
> SChannel and the CryptoAPI are not fully compliant with RFC 2818 section
> 3.1, I added the following note to the commit message: SChannel and
> CryptoAPI do not support the iPAddress subjectAltName according to RFC 2818.
> If present, SChannel will first compare the IP address to the dNSName
> subjectAltNames and then fallback to the most specific Common Name in the
> Subject field of the certificate.
>
> This means that after this change curl will not connect to SSL/TLS hosts as
> long as the IP address is not specified in the SAN or CN of the server
> certificate or the verifyhost option is disabled.

That's exactly how it should work.

Of course, a "real" certificate with an IP in a SAN field would store the IP
as an iPAddress and not as a dnsName type. As said in RFC2818:

    In some cases, the URI is specified as an IP address rather than a
    hostname. In this case, the iPAddress subjectAltName must be present
    in the certificate and must exactly match the IP in the URI.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-25