diff options
| author | David Ryskalczyk <d235j.1@gmail.com> | 2014-02-23 18:38:58 +0100 |
|---|---|---|
| committer | Marc Hoersken <info@marc-hoersken.de> | 2014-02-24 22:12:55 +0100 |
| commit | 63fc8ee7be2b712e7af5029f4f8a86a0dfd71b38 (patch) | |
| tree | 1539274155e5966b083fd122e507976add1c1a16 /lib/vtls | |
| parent | c27cc68815acd315c663e08ee9e3450b153f095f (diff) | |
winssl: Enable hostname verification of IP address using SAN or CN
Original commit message was:
Don't omit CN verification in SChannel when an IP address is used.
Side-effect of this change:
SChannel and CryptoAPI do not support the iPAddress subjectAltName
according to RFC 2818. If present, SChannel will first compare the
IP address to the dNSName subjectAltNames and then fallback to the
most specific Common Name in the Subject field of the certificate.
This means that after this change curl will not connect to SSL/TLS
hosts as long as the IP address is not specified in the SAN or CN
of the server certificate or the verifyhost option is disabled.
Diffstat (limited to 'lib/vtls')
| -rw-r--r-- | lib/vtls/curl_schannel.c | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/lib/vtls/curl_schannel.c b/lib/vtls/curl_schannel.c index 33c9aac8e..bee493ca1 100644 --- a/lib/vtls/curl_schannel.c +++ b/lib/vtls/curl_schannel.c @@ -156,17 +156,6 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) infof(data, "schannel: disable server certificate revocation checks\n"); } - if(Curl_inet_pton(AF_INET, conn->host.name, &addr) -#ifdef ENABLE_IPV6 - || Curl_inet_pton(AF_INET6, conn->host.name, &addr6) -#endif - ) { - schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK; - infof(data, "schannel: using IP address, SNI is being disabled by " - "disabling the servername check against the " - "subject names in server certificates.\n"); - } - if(!data->set.ssl.verifyhost) { schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK; infof(data, "schannel: verifyhost setting prevents Schannel from " @@ -228,6 +217,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } } + /* Warn if SNI is disabled due to use of an IP address */ + if(Curl_inet_pton(AF_INET, conn->host.name, &addr) +#ifdef ENABLE_IPV6 + || Curl_inet_pton(AF_INET6, conn->host.name, &addr6) +#endif + ) { + infof(data, "schannel: using IP address, SNI is not supported by OS.\n"); + } + /* setup output buffer */ InitSecBuffer(&outbuf, SECBUFFER_EMPTY, NULL, 0); InitSecBufferDesc(&outbuf_desc, &outbuf, 1); |