curl-library
Re: CURLOPT_SSL_VERIFYHOST with raw IP addresses
Date: Thu, 31 Jan 2019 16:00:08 +0100
On 1/31/19 3:43 PM, Martin Galvan via curl-library wrote:
> Hi all,
>
> My application is currently setting CURLOPT_SSL_VERIFYHOST to 2 in
> order to enable cert identity verification. However, I saw that
> passing the remote host's IP address to libcurl (as opposed to the
> hostname) results on the identity verification failing. This is a bit
> inconvenient, as sometimes I may want to use hostnames and IP
> addresses interchangeably.
>
> What's the best way to do this?
If you have control on the server certificate, set its "Subject
Alternative Name" with the site name and IP (there can be more than one).
Else this might be impossible: For example, you can try https from a
browser with www.google.com's IP address and you'll see it requires the
SNI to be transmitted (by definition, an IP address has no SNI!).
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-31