-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Schannel can't disable only CURLOPT_SSL_VERIFYPEER and still verify the host name #3284
Comments
As documented and as working in other TLS backends. Fixes #3284
As documented and as working in other TLS backends. Reported-by: Martin Galvan Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Fixes #3284 Closes #3285
As documented and as working in other TLS backends. Reported-by: Martin Galvan Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Fixes #3284 Closes #3285
I'll take a look but I thought it was already independent. Lines 536 to 541 in 1966771
|
It fails with SEC_E_WRONG_PRINCIPAL when verifypeer is enabled, but succeeds when it's disabled. (I'm using https://cdn0.nflximg.net as test server). When verifypeer is disabled then manual verification is enabled SCH_CRED_MANUAL_CRED_VALIDATION. What I think is happening is the manual verification disables the server name check even though we don't. Seems like they could have warned us of that in the doc. |
Prior to this change if the user disabled the verify peer check then no host check was done. Empirical testing shows SCH_CRED_MANUAL_CRED_VALIDATION, which we use when peer verification is disabled, also disables hostname verification. In Windows < 8 our manual host verification check (ie the check used when CA info is specified, or peer verification is disabled, or WinCE is the OS) for schannel continues to only check the first subject alternate name, and not all the names, since there is no easy way supported by the API. It looks possible to do just more work, and should be addressed separately. Assisted-by: Daniel Stenberg Reported-by: Martin Galvan Fixes curl#3284 Closes curl#3285 Closes #xxxx
Prior to this change if the user disabled the verify peer check then no host check was done. Empirical testing shows SCH_CRED_MANUAL_CRED_VALIDATION, which we use when peer verification is disabled, also disables hostname verification. In Windows < 8 our manual host verification check (ie the check used when CA info is specified, or peer verification is disabled, or WinCE is the OS) for schannel continues to only check the first subject alternate name, and not all the names, since there is no easy way supported by the API. It looks possible to do just more work, and should be addressed separately. Assisted-by: Daniel Stenberg Reported-by: Martin Galvan Fixes #3284 Closes #3285 Closes #xxxx
@jay any idea on how to deal with this? Should we just close or can we document this somehow somewhere? |
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: curl#3285 Fixes curl#3284 Closes #xxxx
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: curl#3285 Fixes curl#3284 Closes #xxxx
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in #3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: #3285 Fixes #3284 Closes #10056
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: curl#3285 Fixes curl#3284 Closes curl#10056
I did this
Martin Galvan reported on the mailing list:
I expected the following
If the TLS backend has the API for it, the options should be independent.
curl/libcurl version
current git master
operating system
Windows
The text was updated successfully, but these errors were encountered: