[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 16/205: darwinssl: Warn that disabling host verify
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 16/205: darwinssl: Warn that disabling host verify also disables SNI |
Date: |
Thu, 20 Apr 2017 16:19:16 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to annotated tag gnurl-7.54.0
in repository gnurl.
commit 0966ab5bd4ad547c74e1032899c87f7214bc5b73
Author: JDepooter <address@hidden>
AuthorDate: Thu Feb 2 13:40:16 2017 -0800
darwinssl: Warn that disabling host verify also disables SNI
In DarwinSSL the SSLSetPeerDomainName function is used to enable both
sending SNI and verifying the host. When host verification is disabled
the function cannot be called, therefore SNI is disabled as well.
Closes https://github.com/curl/curl/pull/1240
---
docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 | 13 ++++++++++---
lib/vtls/darwinssl.c | 3 +++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
index 159147327..acadd0774 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
@@ -58,9 +58,16 @@ The default value for this option is 2.
This option controls checking the server's certificate's claimed identity.
The server could be lying. To control lying, see
-\fICURLOPT_SSL_VERIFYPEER(3)\fP. If libcurl is built against NSS and
-\fICURLOPT_SSL_VERIFYPEER(3)\fP is zero, \fICURLOPT_SSL_VERIFYHOST(3)\fP is
-also set to zero and cannot be overridden.
+\fICURLOPT_SSL_VERIFYPEER(3)\fP.
+.SH LIMITATIONS
+DarwinSSL: If \fIverify\fP value is 0, then SNI is also disabled. SNI is a TLS
+extension that sends the hostname to the server. The server may use that
+information to do such things as sending back a specific certificate for the
+hostname, or forwarding the request to a specific origin server. Some hostnames
+may be inaccessible if SNI is not sent.
+
+NSS: If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero,
+\fICURLOPT_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be overridden.
.SH DEFAULT
2
.SH PROTOCOLS
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 050bf960b..25a8ab8b6 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1425,6 +1425,9 @@ static CURLcode darwinssl_connect_step1(struct
connectdata *conn,
"the OS.\n");
}
}
+ else {
+ infof(data, "WARNING: disabling hostname validation also disables SNI.\n");
+ }
/* Disable cipher suites that ST supports but are not safe. These ciphers
are unlikely to be used in any case since ST gives other ciphers a much
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 09/205: gopher: fixed detection of an error condition from Curl_urldecode, (continued)
- [GNUnet-SVN] [gnurl] 09/205: gopher: fixed detection of an error condition from Curl_urldecode, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 10/205: url: fix unix-socket support for proxy-disabled builds, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 05/205: proxy: fixed a memory leak on OOM, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 13/205: digest_sspi: fix compilation warning, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 11/205: test1139: allow for the possibility that the man page is not rebuilt, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 06/205: ftp: removed an erroneous free in an OOM path, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 01/205: bump: work on the next release, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 02/205: cmake: Replace invalid UTF-8 byte sequence, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 03/205: test557: explicitly use the C locale so the numeric output is as expected, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 04/205: tests: use consistent environment variables for setting charset, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 16/205: darwinssl: Warn that disabling host verify also disables SNI,
gnunet <=
- [GNUnet-SVN] [gnurl] 08/205: ftp: fixed a NULL pointer dereference on OOM, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 14/205: tests: enable HTTP/2 tests to run with non-default port numbers, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 15/205: warnless: suppress compiler warning, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 20/205: configure: fix --with-zlib when a path is specified, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 32/205: BINDINGS: add misssing C++ bindings, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 29/205: CMake: Add mbedTLS support, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 25/205: fix potential use of uninitialized variables, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 35/205: BINDINGS: update the Lua-cURL URL, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 17/205: configure: fix for --enable-pthreads, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 33/205: BINDINGS: add go-curl and perl6-net-curl, gnunet, 2017/04/20