> From: curl-library [curl-library-bounces_at_cool.haxx.se] on behalf of Vadim
> Grinshpun [vgrinshp_at_akamai.com]
> Subject: can either libcurl's SSL/TLS hostname verification, or hostname
> resolving, be overridden?
>
> With this scenario in mind, here are my questions:
> (1) is there a (reasonably easy) way of tweaking what curl uses for
> verifying the hostname during the SSL/TLS handshake, s.t. I can connect
> to the IP, but verify using the hostname?

Well, it depends on your threshold for "reasonably easy", but you could set CURLOPT_VERIFYHOST to 0 to turn of curl's host verification, and then install your own with CURLOPT_SSL_CTX_FUNCTION and SSL_CTX_set_cert_verify_callback:

CURLcode sslContextCallback(CURL *handle, SSL_CTX *context, void *data)
{
    SSL_CTX_set_cert_verify_callback(context, &sslVerifyCallback, data);
}

int sslVerifyCallback(X509_STORE_CTX *x509Context, void *data)
{
    X509 *peerCert = x509Context->cert;
    // Now you can do your own host name validation of peerCert, and if there's an error call
    X509_STORE_CTX_set_error(x509Context, X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
    return 1 for success, 0 to abort
}

curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &sslContextCallback);
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-09