From afc6e5004fabee590e41ffe750a237e1187fbbbd Mon Sep 17 00:00:00 2001 From: David Ryskalczyk Date: Sun, 23 Feb 2014 10:35:30 -0500 Subject: Don't omit CN verification in DarwinSSL when an IP address is used. --- lib/vtls/curl_darwinssl.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c index b3bc4da7a..3a9da91cc 100644 --- a/lib/vtls/curl_darwinssl.c +++ b/lib/vtls/curl_darwinssl.c @@ -1323,20 +1323,26 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ - /* If this is a domain name and not an IP address, then configure SNI. + /* Configure hostname check. SNI is used if available. + * Both hostname check and SNI require SSLSetPeerDomainName(). * Also: the verifyhost setting influences SNI usage */ - /* If this is a domain name and not an IP address, then configure SNI: */ - if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) && -#ifdef ENABLE_IPV6 - (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && -#endif - data->set.ssl.verifyhost) { + if(data->set.ssl.verifyhost) { err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name, - strlen(conn->host.name)); + strlen(conn->host.name)); + if(err != noErr) { infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n", err); } + + if((Curl_inet_pton(AF_INET, conn->host.name, &addr)) + #ifdef ENABLE_IPV6 + || (Curl_inet_pton(AF_INET6, conn->host.name, &addr)) + #endif + ) { + infof(data, "WARNING: using IP address, SNI is being disabled by " + "the OS.\n"); + } } /* Disable cipher suites that ST supports but are not safe. These ciphers -- cgit v1.2.3