cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Changed logic in verifyhost()

From: Erland Costyson <erland.costyson_at_gmail.com>
Date: Tue, 24 May 2016 11:24:50 +0200

On Tue, May 24, 2016 at 10:06 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> However, the following section does:
>
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
>
> If you have A) an URL specified as IP address B) subjectAltName in cert but
> no match for any IPAddress then it isn't a match. Only if you don't have an
> subjectAltName field at all it should check the Common Name field for a
> match:

Found the problem in the server cert it has one subjectAltName but
that is an email address!
So it shouldn't work according to the spec.

>
> Although the use of the Common Name is existing practice, it is deprecated
>
> (deprecated already in the spec from the year 2000)
>
> I guess that was a long way to say that I believe the current logic is spec
> compliant.
>
> You agree or disagree?

I agree that the new code works as intended.

Thanks for your support.

//Erland
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-24