aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorDavid Ryskalczyk <d235j.1@gmail.com>2014-02-23 10:35:30 -0500
committerDavid Ryskalczyk <d235j.1@gmail.com>2014-02-23 12:37:27 -0500
commitafc6e5004fabee590e41ffe750a237e1187fbbbd (patch)
tree398c20221791407d8fd6b9ee8b13c144e6b32cde /lib/vtls
parent0d9ddf91ca896d5a4ed5525a426ff74bd2bc6726 (diff)
Don't omit CN verification in DarwinSSL when an IP address is used.
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/curl_darwinssl.c22
1 files changed, 14 insertions, 8 deletions
diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c
index b3bc4da7a..3a9da91cc 100644
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -1323,20 +1323,26 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
}
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
- /* If this is a domain name and not an IP address, then configure SNI.
+ /* Configure hostname check. SNI is used if available.
+ * Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */
- /* If this is a domain name and not an IP address, then configure SNI: */
- if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
-#ifdef ENABLE_IPV6
- (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
-#endif
- data->set.ssl.verifyhost) {
+ if(data->set.ssl.verifyhost) {
err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
- strlen(conn->host.name));
+ strlen(conn->host.name));
+
if(err != noErr) {
infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
err);
}
+
+ if((Curl_inet_pton(AF_INET, conn->host.name, &addr))
+ #ifdef ENABLE_IPV6
+ || (Curl_inet_pton(AF_INET6, conn->host.name, &addr))
+ #endif
+ ) {
+ infof(data, "WARNING: using IP address, SNI is being disabled by "
+ "the OS.\n");
+ }
}
/* Disable cipher suites that ST supports but are not safe. These ciphers