cURL / Mailing Lists / curl-library / Single Mail


Re: [curl] Don't omit CN verification in SChannel when an IP address is used. (#94)

From: Daniel Stenberg <>
Date: Tue, 25 Feb 2014 22:44:17 +0100 (CET)

On Mon, 24 Feb 2014, Marc Hoersken wrote:

> David, thanks for spotting this. Since the change has some side-effects as
> SChannel and the CryptoAPI are not fully compliant with RFC 2818 section
> 3.1, I added the following note to the commit message: SChannel and
> CryptoAPI do not support the iPAddress subjectAltName according to RFC 2818.
> If present, SChannel will first compare the IP address to the dNSName
> subjectAltNames and then fallback to the most specific Common Name in the
> Subject field of the certificate.
> This means that after this change curl will not connect to SSL/TLS hosts as
> long as the IP address is not specified in the SAN or CN of the server
> certificate or the verifyhost option is disabled.

That's exactly how it should work.

Of course, a "real" certificate with an IP in a SAN field would store the IP
as an iPAddress and not as a dnsName type. As said in RFC2818:

    In some cases, the URI is specified as an IP address rather than a
    hostname. In this case, the iPAddress subjectAltName must be present
    in the certificate and must exactly match the IP in the URI.

List admin:
Received on 2014-02-25