On Mon, 24 Feb 2014, Marc Hoersken wrote:
David, thanks for spotting this. Since the change has some side-effects as
SChannel and the CryptoAPI are not fully compliant with RFC 2818 section
3.1, I added the following note to the commit message: SChannel and
CryptoAPI do not support the iPAddress subjectAltName according to RFC 2818.
If present, SChannel will first compare the IP address to the dNSName
subjectAltNames and then fallback to the most specific Common Name in the
Subject field of the certificate.
This means that after this change curl will not connect to SSL/TLS hosts as
long as the IP address is not specified in the SAN or CN of the server
certificate or the verifyhost option is disabled.
That's exactly how it should work.
Of course, a "real" certificate with an IP in a SAN field would store the IP
as an iPAddress and not as a dnsName type. As said in RFC2818:
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
