cURL / Mailing Lists / curl-library / Single Mail


Re: [curl] Don't omit CN verification in SChannel when an IP address is used. (#94)

From: Marc Hoersken <>
Date: Mon, 24 Feb 2014 22:26:12 +0100

Hello everyone,

I have just merged and pushed a slightly modified version of David's
pull request to the main repository.

David, thanks for spotting this. Since the change has some side-effects
as SChannel and the CryptoAPI are not fully compliant with RFC 2818
section 3.1, I added the following note to the commit message:
 SChannel and CryptoAPI do not support the iPAddress subjectAltName
 according to RFC 2818. If present, SChannel will first compare the
 IP address to the dNSName subjectAltNames and then fallback to the
 most specific Common Name in the Subject field of the certificate.

 This means that after this change curl will not connect to SSL/TLS
 hosts as long as the IP address is not specified in the SAN or CN
 of the server certificate or the verifyhost option is disabled.

Best regards,
List admin:
Received on 2014-02-24