diff options
author | nickzman <nickzman@gmail.com> | 2014-02-25 17:36:44 -0600 |
---|---|---|
committer | nickzman <nickzman@gmail.com> | 2014-02-25 17:36:44 -0600 |
commit | e9665e9658307894e75b5037ab31809a026c891e (patch) | |
tree | 77ead127a1b5e2b1d32639b820ffb54c5a7c47ee /lib | |
parent | d48eb1dd69aa881c315c6dc7c9cdd2acc99c0b77 (diff) | |
parent | afc6e5004fabee590e41ffe750a237e1187fbbbd (diff) |
Merge pull request #93 from d235j/darwinssl_ip_address_fix
darwinssl: don't omit CN verification when an IP address is used
Diffstat (limited to 'lib')
-rw-r--r-- | lib/vtls/curl_darwinssl.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c index b3bc4da7a..3a9da91cc 100644 --- a/lib/vtls/curl_darwinssl.c +++ b/lib/vtls/curl_darwinssl.c @@ -1323,20 +1323,26 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ - /* If this is a domain name and not an IP address, then configure SNI. + /* Configure hostname check. SNI is used if available. + * Both hostname check and SNI require SSLSetPeerDomainName(). * Also: the verifyhost setting influences SNI usage */ - /* If this is a domain name and not an IP address, then configure SNI: */ - if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) && -#ifdef ENABLE_IPV6 - (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && -#endif - data->set.ssl.verifyhost) { + if(data->set.ssl.verifyhost) { err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name, - strlen(conn->host.name)); + strlen(conn->host.name)); + if(err != noErr) { infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n", err); } + + if((Curl_inet_pton(AF_INET, conn->host.name, &addr)) + #ifdef ENABLE_IPV6 + || (Curl_inet_pton(AF_INET6, conn->host.name, &addr)) + #endif + ) { + infof(data, "WARNING: using IP address, SNI is being disabled by " + "the OS.\n"); + } } /* Disable cipher suites that ST supports but are not safe. These ciphers |