moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-02-28 17:31:46 -05:00
Code Issues Releases Wiki Activity

Don't omit CN verification in DarwinSSL when an IP address is used.

Browse Source
This commit is contained in:
David Ryskalczyk 2014-02-23 10:35:30 -05:00
parent 0d9ddf91ca
commit afc6e5004f
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/vtls/curl_darwinssl.c
View File

@ -1323,20 +1323,26 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
} }
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
/* If this is a domain name and not an IP address, then configure SNI. /* Configure hostname check. SNI is used if available.
* Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */ * Also: the verifyhost setting influences SNI usage */
/* If this is a domain name and not an IP address, then configure SNI: */ if(data->set.ssl.verifyhost) {
if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
data->set.ssl.verifyhost) {
err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name, err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
strlen(conn->host.name)); strlen(conn->host.name));
if(err != noErr) { if(err != noErr) {
infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n", infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
err); err);
} }
if((Curl_inet_pton(AF_INET, conn->host.name, &addr))
#ifdef ENABLE_IPV6
|| (Curl_inet_pton(AF_INET6, conn->host.name, &addr))
#endif
) {
infof(data, "WARNING: using IP address, SNI is being disabled by "
"the OS.\n");
}
} }
/* Disable cipher suites that ST supports but are not safe. These ciphers /* Disable cipher suites that ST supports but are not safe. These ciphers