curl / Mailing Lists / curl-library / Single Mail

curl-library

Support for custom SNI

From: Gaurav Malhotra <malhotrag_at_gmail.com>
Date: Mon, 25 Jun 2018 17:20:00 +0530

I work on an application that has a HTTPS server with multiple TLS server
certificates, each issued by a different CA. Each of these server
certificates has the same host names in the Subject Alternative Name field.
There are many remote clients that utilize libcurl (with the OpenSSL
backend) to make HTTPS calls to the server. Each client only trusts one of
the CAs that the server has a certificate from. The server has to pick the
correct server certificate to ensure that the certificate verification
checks on the client side succeed (CURLOPT_SSL_VERIFYPEER and
CURLOPT_SSL_VERIFYHOST are both enabled).

We've configured the web server to select one of the available server
certificates based on a SNI hint sent by the client during the TLS
handshake. The problem we're facing is that libcurl does not currently
allow the specification of a custom SNI independent of the server's host
name. In the scenario I've described above, each client needs to use the
same host name for CURLOPT_SSL_VERIFYHOST but a different SNI.

Is there some way to achieve the desired result without changing libcurl?
Would it be useful to enhance libcurl to allow the specification of a
custom SNI? If so, I'd be more than happy to work on a patch for curl and
submit a pull request on github.

Here are some past discussions related to custom SNI support that I found:
https://github.com/curl/curl/issues/607
https://github.com/jay/curl/compare/master...jay:curlopt_sni_hostname?expand=1
https://github.com/curl/curl/issues/1775

Thanks!
Gaurav

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-06-25