On Tue, 1 Oct 2013, Jeffrey Walton wrote:
Is the following performed by curl_easy_perform when using OpenSSL:
* call SSL_get_peer_certificate and verify the certificate is non-NULL
Yes.
* call SSL_get_verify_result and verify the result is X509_V_OK
Yes.
* perform name matching (CN or SAN must match requested host)
I think the last item can be controlled with CURLOPT_SSL_VERIFYHOST, so I
would have to add it manually
It is enabled by default, but you can disable it if you really want to.
*If* the subject's CN is not listed in the SAN, will libcurl fail the
handshake when using CURLOPT_SSL_VERIFYHOST?
Yes, if SAN is used then CN is ignored. We even have a test case for it.
I did not see an option to disable SSLv3, or an option to disable
compression. Are they listed elsewhere? Or is there another way to use, for
example, TLS 1.0 and above?
There's an option to ask for TLS1+ (which has some problems we'll fix, see
https://sourceforge.net/p/curl/bugs/1280/ and
https://github.com/bagder/curl/pull/79)
There's no option to disable TLS compression.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
