> From: curl-library [[email protected]] on behalf of Vadim
> Grinshpun [[email protected]]
> Subject: can either libcurl's SSL/TLS hostname verification, or hostname
> resolving, be overridden?
>
> With this scenario in mind, here are my questions:
> (1) is there a (reasonably easy) way of tweaking what curl uses for
> verifying the hostname during the SSL/TLS handshake, s.t. I can connect
> to the IP, but verify using the hostname?
Well, it depends on your threshold for "reasonably easy", but you could set
CURLOPT_VERIFYHOST to 0 to turn of curl's host verification, and then install
your own with CURLOPT_SSL_CTX_FUNCTION and SSL_CTX_set_cert_verify_callback:
CURLcode sslContextCallback(CURL *handle, SSL_CTX *context, void *data)
{
SSL_CTX_set_cert_verify_callback(context, &sslVerifyCallback, data);
}
int sslVerifyCallback(X509_STORE_CTX *x509Context, void *data)
{
X509 *peerCert = x509Context->cert;
// Now you can do your own host name validation of peerCert, and if there's
an error call
X509_STORE_CTX_set_error(x509Context, X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
return 1 for success, 0 to abort
}
curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &sslContextCallback);
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
