cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: How do I customise SSL hostname validation

From: Patrick Monnerat <Patrick.Monnerat_at_datasphere.ch>
Date: Wed, 29 Jan 2014 11:02:32 +0100

 
Peter Andrews wrote:

> What I would like to know is can I send a request to a specific IP
address and still verity the certificate contains the expect hostname?

Hi Peter,

This is a TLS problem, not a curl problem.

IMHO, the only way to achieve what you want is to specify the "subject
alternative name" (SAN) extension in the server's certificate.

While most clients check IP addresses to IP-type SAN fields, IE wants IP
addresses as names (DNS). Thus you have to put both forms for each IP
addresses.

Most clients also dot not check the CN when the SAN is given (so does
curl): so put also the host name in a SAN field.

In short, build your SAN with the following info:
- the host name as DNS type
- IP 1 as IP
- IP 1 as DNS
- IP 2 as IP
- IP 2 as DNS

Patrick

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-29