cURL / Mailing Lists / curl-library / Single Mail

curl-library

can either libcurl's SSL/TLS hostname verification, or hostname resolving, be overridden?

From: Vadim Grinshpun <vgrinshp_at_akamai.com>
Date: Thu, 05 Feb 2015 17:21:05 -0500

Hi folks,

My question is at the very end, but let me describe my scenario first.

I'm writing a program (using libcurl's "multi" interface) that needs to
have concurrent persistent HTTP connections to the same hostname *but*
to different IPs (the hostname in question uses DNS-based load
balancing, so IP diversity is important).

Unfortunately, the obvious solution of disabling libcurl's DNS caching
isn't sufficient: the local DNS resolver has a quirk s.t. under certain
circumstances it will provide the same response to multiple requests
issued within a very short amount of time, so I can't rely on it to
produce diversity; and CURLOPT_RESOLVE wouldn't provide me enough
control for this, since, if I understand correctly, the same entry would
get used by multiple easy handles due to the sharing of the DNS cache
associated with the multi handle.

Pre-resolving the hostname and asking libcurl to connect to specific IPs
works for regular HTTP, but causes issues for HTTPS, since the URL
contains an IP instead of the hostname, and so the VERIFYHOST check fails.

With this scenario in mind, here are my questions:
(1) is there a (reasonably easy) way of tweaking what curl uses for
verifying the hostname during the SSL/TLS handshake, s.t. I can connect
to the IP, but verify using the hostname?

(2) barring that, is there a way to hook into
- how libcurl decides whether it needs to resolve the hostname for a
given easy handle, and
- how the resolving is actually done?

Thanks for any advice/suggestions!

-Vadim G.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-05