cURL / Mailing Lists / curl-library / Single Mail


Re: Changed logic in verifyhost()

From: Erland Costyson <>
Date: Tue, 24 May 2016 11:24:50 +0200

On Tue, May 24, 2016 at 10:06 AM, Daniel Stenberg <> wrote:
> However, the following section does:
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
> If you have A) an URL specified as IP address B) subjectAltName in cert but
> no match for any IPAddress then it isn't a match. Only if you don't have an
> subjectAltName field at all it should check the Common Name field for a
> match:

Found the problem in the server cert it has one subjectAltName but
that is an email address!
So it shouldn't work according to the spec.

> Although the use of the Common Name is existing practice, it is deprecated
> (deprecated already in the spec from the year 2000)
> I guess that was a long way to say that I believe the current logic is spec
> compliant.
> You agree or disagree?

I agree that the new code works as intended.

Thanks for your support.

List admin:
Received on 2016-05-24