Re: "The Most Dangerous Code in the World"
Date: Sun, 4 Nov 2012 11:19:34 +0100
2012/11/4 Oscar Koeroo <okoeroo_at_nikhef.nl>:
>>> It's RFC2818 compliant out of the box, like NSS. It's the only SSL
>>> opt-out SSL interface I've seen. To switch it off you'll need to set the
>>> flag SCH_CRED_NO_SERVERNAME_CHECK according to
>>> http://msdn.microsoft.com/en-us/library/aa923430.aspx :
>> Yes, and that is actually done for IP addresses and if verifyhost is
>> smaller than 2.
> Yes, this part I understand. If you detect it's an IP, don't bother to do
> the verification. This is something which is covered internally in other SSL
> stacks. Does this mean that the Schannel library will fail to connect if
> there are Subject Alt Names IP-addresses in the certificate?
I don't know, I copied this specific check from another curl SSL backend.
> I think it's totally normal to not succeed setting up an SSL connection if
> there is no way you can compare binding information of the certificate in
> the SSL handshake and the underlying transport layer.
Sure, but there should be a way to ignore this and still setup the connection.
> The code snippet disables a check with a SubjectAltNames IP-address which
> might be supported by the Schannel library and/or used in a host certificate
> in deployments.
> I'm inclined to remove the check on IP-address input in cUrl around this
> part because I think cUrl should simply not be responsible for this choice.
Please make sure that you test that Schannel is actually able to
handle IP addresses before removing this check.
> Do you have documentation backing up this part?
> it says:
> "SCH_CRED_NO_SERVERNAME_CHECK: Client only. Prevent Schannel from comparing
> the supplied target name with the subject names in server certificates."
> If I Google the SCH_CRED_NO_SERVERNAME_CHECK with the term SNI I only get
> cUrl code and maillist hits. Nothing on the SNI (Server Name Indication)
> side effect here too
> I don't have a Windows Server 2012 (which seems to introduce TLS support for
> Server Name Indicator (SNI) extensions:
> http://technet.microsoft.com/en-us/library/hh831381.aspx) to play with to
> Wireshark it to confirming the SCH_CRED_NO_SERVERNAME_CHECK. I doubt this is
> really what is going on in Schannel.
I think SNI is supported in Schannel since Windows XP SP3, but I am
testing on Windows 7.
> I hope you can dig up info about this. This is interesting stuff as SNI
> becomes popular.
Attached you will find a small Wireshark dump containing two Client
Hello packets. Once SCH_CRED_NO_SERVERNAME_CHECK is supplied to
Schannel it does not send the server_name extension and therefore
disables SNI. This makes sense since Schannel will not care about the
server name, why should it bother sending it in the first place?
- application/octet-stream attachment: schannel_sni.pcapng