Schannel can't disable only CURLOPT_SSL_VERIFYPEER and still verify the host name #3284
Assignees
Labels
Comments
bagder
changed the title
bagder
added a commit
that referenced
this issue
Nov 17, 2018
As documented and as working in other TLS backends. Fixes #3284
bagder
added a commit
that referenced
this issue
Nov 17, 2018
As documented and as working in other TLS backends. Reported-by: Martin Galvan Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Fixes #3284 Closes #3285
bagder
added a commit
that referenced
this issue
Nov 17, 2018
As documented and as working in other TLS backends. Reported-by: Martin Galvan Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Fixes #3284 Closes #3285
|
I'll take a look but I thought it was already independent. Lines 536 to 541 in 1966771 |
|
It fails with SEC_E_WRONG_PRINCIPAL when verifypeer is enabled, but succeeds when it's disabled. (I'm using https://cdn0.nflximg.net as test server). When verifypeer is disabled then manual verification is enabled SCH_CRED_MANUAL_CRED_VALIDATION. What I think is happening is the manual verification disables the server name check even though we don't. Seems like they could have warned us of that in the doc. |
jay
added a commit
to jay/curl
that referenced
this issue
Nov 19, 2018
Prior to this change if the user disabled the verify peer check then no host check was done. Empirical testing shows SCH_CRED_MANUAL_CRED_VALIDATION, which we use when peer verification is disabled, also disables hostname verification. In Windows < 8 our manual host verification check (ie the check used when CA info is specified, or peer verification is disabled, or WinCE is the OS) for schannel continues to only check the first subject alternate name, and not all the names, since there is no easy way supported by the API. It looks possible to do just more work, and should be addressed separately. Assisted-by: Daniel Stenberg Reported-by: Martin Galvan Fixes curl#3284 Closes curl#3285 Closes #xxxx
jay
added a commit
that referenced
this issue
Nov 25, 2018
Prior to this change if the user disabled the verify peer check then no host check was done. Empirical testing shows SCH_CRED_MANUAL_CRED_VALIDATION, which we use when peer verification is disabled, also disables hostname verification. In Windows < 8 our manual host verification check (ie the check used when CA info is specified, or peer verification is disabled, or WinCE is the OS) for schannel continues to only check the first subject alternate name, and not all the names, since there is no easy way supported by the API. It looks possible to do just more work, and should be addressed separately. Assisted-by: Daniel Stenberg Reported-by: Martin Galvan Fixes #3284 Closes #3285 Closes #xxxx
|
@jay any idea on how to deal with this? Should we just close or can we document this somehow somewhere? |
bagder
changed the title
jay
added a commit
to jay/curl
that referenced
this issue
Dec 8, 2022
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this issue
Dec 9, 2022
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this issue
Dec 9, 2022
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this issue
Dec 9, 2022
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this issue
Aug 8, 2023
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay
added a commit
to jay/curl
that referenced
this issue
Aug 10, 2023
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay
added a commit
that referenced
this issue
Aug 11, 2023
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in #3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: #3285 Fixes #3284 Closes #10056
ptitSeb
pushed a commit
to wasix-org/curl
that referenced
this issue
Sep 25, 2023
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: curl#3285 Fixes curl#3284 Closes curl#10056
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I did this
Martin Galvan reported on the mailing list:
I expected the following
If the TLS backend has the API for it, the options should be independent.
curl/libcurl version
current git master
operating system
Windows
The text was updated successfully, but these errors were encountered: