Hi, 2012/11/4 Oscar Koeroo <[email protected]> > lib/curl_schannel.c > VerifyHost is not used
I don't think this is correct. Please see line 163. > It's RFC2818 compliant out of the box, like NSS. It's the only SSL > security > opt-out SSL interface I've seen. To switch it off you'll need to set the > flag SCH_CRED_NO_SERVERNAME_CHECK according to > http://msdn.microsoft.com/en-us/library/aa923430.aspx : Yes, and that is actually done for IP addresses and if verifyhost is smaller than 2. > > 159 if(Curl_inet_pton(AF_INET, conn->host.name, &addr) || > 160 #ifdef ENABLE_IPV6 > 161 Curl_inet_pton(AF_INET6, conn->host.name, &addr6) || > 162 #endif > 163 data->set.ssl.verifyhost < 2) { > 164 schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK; > 165 infof(data, "schannel: using IP address, disable SNI servername > " > 166 "check\n"); > 167 } > > Note: The info statement of SNI is wrong, it should've said SAN or > something > related to the common name and/or subject alt names. You may want to look at the context of the name checks being disabled. SCH_CRED_NO_SERVERNAME_CHECK also disables SNI and that is required for IP address based connections without a DNS name. Of course the info statement could include the general fact that name validation is completely disabled, too. But it's not "wrong". Best regards, Marc ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
