Skip to content

Document that CURLOPT_SSL_VERIFYHOST applies to SSH #13767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
abbeyj opened this issue May 24, 2024 · 1 comment
Closed

Document that CURLOPT_SSL_VERIFYHOST applies to SSH #13767

abbeyj opened this issue May 24, 2024 · 1 comment
Labels
documentation libcurl API SCP/SFTP

Comments

@abbeyj
Copy link

abbeyj commented May 24, 2024

I did this

The documentation for CURLOPT_SSL_VERIFYHOST (https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html) says that it applies to TLS protocols. It speaks about certificates and what fields in the certificates are examined. It doesn't mention SSH or the sftp protocol at all.

Since c92d2e1 this setting is also used by SSH, at least when using the libssh backend. It is somewhat surprising that changing a CURLOPT_SSL_* setting could affect an sftp:// connection. I would have assumed that this setting could only impact SSL/TLS connections and that the settings that affected an SSH connection would all match CURLOPT_SSH_*.

The fact that this setting is used by SSH should be documented. The documentation should also describe exactly what this setting does for SSH. The existing documentation which refers to certificates is not adequate since the SSH verification code does not deal with certificates. The interaction with CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_HOST_PUBLIC_KEY_MD5, CURLOPT_SSH_KEYFUNCTION, etc. should probably also be described somewhere.

Alternatively, maybe this setting should not be used by the libssh backend. That would restore parity with the libssh2 backend. It would also fix the documentation for https://curl.se/libcurl/c/CURLOPT_SSH_KNOWNHOSTS.html which currently implies that not setting this option will not perform known host checking. I think that's true for the libssh2 backend, but not true for the libssh backend.

Possibly tangentially related: https://curl.se/libcurl/c/CURLOPT_SSH_KEYFUNCTION.html claims that "The callback is only called if CURLOPT_SSH_KNOWNHOSTS is also set." which I think is true for libssh2 but not true for libssh.

I expected the following

No response

curl/libcurl version

git HEAD

operating system

N/A
@bagder
Copy link
Member

bagder commented May 24, 2024

I consider this to be a bug in the libssh backend. The SSH backends should work the same and since libssh2 was first and does not do this, I don't think the libssh backend should either.

bagder added a commit that referenced this issue May 25, 2024
@bagder
libssh: remove CURLOPT_SSL_VERIFYHOST check
d58221d 
It was never meant for SSH: it should rely on the knownhosts file (if
set) in the same way libssh2 already does.

Reported-by: James Abbatiello
Fixes #13767
@bagder bagder mentioned this issue May 25, 2024
Closed
@bagder bagder closed this as completed in 4157ccb May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation libcurl API SCP/SFTP
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

libssh: remove CURLOPT_SSL_VERIFYHOST check curl/curl
2 participants
@abbeyj @bagder